Recently, tinder security team intercepted a batch of worm virus. These viruses spread through mobile media such as USB sticks and mobile hard disks and network drives. After intruding into computers, they will remotely download various virus modules for profit. The downloaded trojans, mining viruses and so on, have earned about 645 Menlo coins (more than 600,000 yuan). These new worms are still being updated and may launch larger attacks in the future. The virus has appeared as early as 2014, and is constantly circulating at home and abroad, the spread of foreign far more than domestic. According to the Tinder Threat Intelligence System, the virus has posed a threat of rapid outbreak in China since 2018, and has continued to spread recently. Tinder engineers found that the virus spreads through removable storage devices (USB sticks, removable hard drives, etc.) and network drives. Infected with the worm, the virus hides existing files on mobile devices and network drives and creates a shortcut that is identical to the disk name and icon, inducing users to click on it. Once the user clicks, the virus runs immediately. After the virus runs, it will first group the infected computers through the control command returned by the C&C remote server, and then obtain the corresponding virus module, and perform the sabotage behavior such as stealing numbers and mining. The author of the virus is very careful, the worm virus and all the virus modules downloaded, are using a confounding device, it is difficult to be killed by security software. At the same time, the downloaded mining virus can only mine when the user’s computer is idle, and occupies very low CPU resources, and is very hidden. Not only that, but the virus also deletes suspicious files from the root of an infected device or network drive to ensure that only itself gets into a user’s computer. This shows that the virus to occupy users for a long time to profit for the purpose of the future can not rule out the remote distribution of other malignant viruses (such as ransomware).
2. Sample analysis
Tinder recently intercepted samples of a worm virus that spreads mainly through network drives and removable storage devices. The virus first appeared around 2014. At first, the virus spread widely overseas, but the infection rate in China was very limited. After 2018, the infection rate in China increased rapidly, gradually showing a threat of rapid outbreak. After the execution of the virus code, it will execute the specified malicious logic according to the control command returned by the remote C&C server, or even directly distribute other virus code to the local computer for execution. At the present stage, we found that the virus programs distributed include: mining virus, stealing Trojan horse and so on. The flow chart of virus malicious code running and spreading is as follows:
Third, the appendix
Sample SHA256 is involved in this paper: