Manual removal of Smitnyl.A
Hello!
Since earlier, in the first part , a promise was made to indicate the general principles of manual removal of Smitnyl.A , I fulfill the promise. Yes, the commentary did not have 20 pluses, but I think that 14 people should get what interested them. Moreover, when deleting, it turned out some features of this malware.
So, our system is prepared and infected with a Smitnyl.A dropper (size 37,076 bytes, MD5 A6E5BAAEAB6C506CB5A08755B025F6A5). After infection, the dropper (like any self-respecting dropper) self-destructed, no more modifications occurred in the system, except for a change in the MBR ( original , infected ). I emphasize: at this stage userinit.exe was not infected .
And this infection occurred after the system was rebooted, when malicious functionality immediately began to show up (all images are clickable):
')
As promised, the malware works as a downloader and in our case it downloads its backdoor component .
And then comes the interesting. In fact, the fake explorer.exe is executed once at boot, it downloads to the root of the system disk and starts the content, after which it is unloaded and self-destructs:
In total, the system has a backdoor, but nothing indicates its source - Smitnyl.A! AVZ system scanning detects the presence of a backdoor module running as a service, allows you to remove it, but a new reboot will return everything to its proper place:
You can detect the Smirnyl.A feature only if you carefully consider the following part of the log:
Here it becomes clear: the system did not recognize the infected userinit.exe on the basis of CRC, and therefore it was displayed with suspicion (the system did not recognize cmd.exe either - but this is true: I myself changed this file to log operations in the shell).
So, what was the treatment?
1. Since userinit.exe with the active system is not involved, it is simply overwritten by the original file from the distribution kit or an uninfected system.
2. If at this stage to restart - userinit.exe will be infected again. Therefore, we perform MBRFix recovery, but this does not mean that other options will not work.
3. We produce standard treatment using the AVZ script:
(The script may vary depending on what downloads and launches the downloader).
After the reboot, the system has been completely cleared.
Since earlier, in the first part , a promise was made to indicate the general principles of manual removal of Smitnyl.A , I fulfill the promise. Yes, the commentary did not have 20 pluses, but I think that 14 people should get what interested them. Moreover, when deleting, it turned out some features of this malware.
So, our system is prepared and infected with a Smitnyl.A dropper (size 37,076 bytes, MD5 A6E5BAAEAB6C506CB5A08755B025F6A5). After infection, the dropper (like any self-respecting dropper) self-destructed, no more modifications occurred in the system, except for a change in the MBR ( original , infected ). I emphasize: at this stage userinit.exe was not infected .
And this infection occurred after the system was rebooted, when malicious functionality immediately began to show up (all images are clickable):
')
As promised, the malware works as a downloader and in our case it downloads its backdoor component .
And then comes the interesting. In fact, the fake explorer.exe is executed once at boot, it downloads to the root of the system disk and starts the content, after which it is unloaded and self-destructs:
> C:\Documents and Settings\1\> ** New Command Shell [PID:1996]
> del C:\DOCUME~1\1\LOCALS~1\Temp\explorer.exe
> ** New Command Shell [PID:3144]
> del C:\2008.exeIn total, the system has a backdoor, but nothing indicates its source - Smitnyl.A! AVZ system scanning detects the presence of a backdoor module running as a service, allows you to remove it, but a new reboot will return everything to its proper place:
You can detect the Smirnyl.A feature only if you carefully consider the following part of the log:
Here it becomes clear: the system did not recognize the infected userinit.exe on the basis of CRC, and therefore it was displayed with suspicion (the system did not recognize cmd.exe either - but this is true: I myself changed this file to log operations in the shell).
So, what was the treatment?
1. Since userinit.exe with the active system is not involved, it is simply overwritten by the original file from the distribution kit or an uninfected system.
2. If at this stage to restart - userinit.exe will be infected again. Therefore, we perform MBRFix recovery, but this does not mean that other options will not work.
3. We produce standard treatment using the AVZ script:
begin
ExecuteFile('net.exe', 'stop tcpip /y', 0, 90000, false);
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('c:\windows\system32\tjmitrd.dll','');
DeleteFile('c:\windows\system32\tjmitrd.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.(The script may vary depending on what downloads and launches the downloader).
After the reboot, the system has been completely cleared.
Source: https://habr.com/ru/post/114258/
All Articles