What should I do if I get a fake "windows Automatic Update"?
This sample is from Meng Jian. It is named readme.chm, with a size of 27.9K: MD5 value: F6beb1123cf5f51fc 31696c92762. After the readme.chm runs, call the system program C:\windows\system32\mshta.exe (figure 1), and then complete the following operations: 1, and release exe.exe and tmp.bat in the directory C: \ Windows \ downloaded program files \. Exe.exe and tmp.bat will delete themselves immediately after running. 2. release wuauclt 1.dll in the c:\windows\system32\ directory (normally, there is no such file as wuauclt 1.dll in the system32 directory). 3.wauclt 1. dll is inserted into the svchost.exe process to run. The inserted svchost.exe is the one with the smallest PID number; The inserted svchost.exe accesses 2 10.66.36.6 1 (China, Taiwan Province Province) through port 80. If you look at the directory c: \ Windows \ downloaded program files, you can find an exception (Figure 2). Looking at the setupapi.log in the windows directory, you can see the following contents: [2008/06/291:05: 53 3220.1] #-198 Command line: "C: \ Windows \ system. Ms "docume ~1\ baohelin \ locales ~1\ temp \ rar $ di00.234 temporary Internet file \ content.ie5 \ zabmzh74 \ exe [1]. Exe "to" c: \ windows \ downloaded program files \ exe.exe ". #E36 1 unsigned or incorrectly signed file "c: \ documents and settings \ baohelin \ local settings \ temporary internet files \ content.ie5 \ zabmzh74 \ exe [1]. Exe will be installed (policy = ignored). Error 0x800b0 100: There is no signature in the subject. Wuauclt 1.dll is inserted into Svchost.exe to access the network, and the common yellow shield appears in the taskbar (windows update is downloading the patch). After downloading this "patch", the installation interface is no different from the normal patch installation interface (Figure 3). Because it is a fake patch, it cannot be installed at all (Figure 4). After being poisoned by this virus, you can't see any abnormality except the "running process" part in the SRENG log. Comparing the "running process" part of SRENG log before and after running this readme.chm, we can see the following differences: before running readme.chm: [PID: 228/system] [C: \ Windows \ System32 \ svchost.exe] [Microsoft, 5.1.2600.2180 (xpsp _ SP2 _ RTM.040803-2158)] After running readme.chm: [PID:228/SYSTEM][C This poison cannot penetrate the shadow. I finished running this virus in the shadow, and after restarting, I couldn't see anything on it.