This article is currently an experimental machine translation and may contain errors. If anything is unclear, please refer to the original Chinese version. I am continuously working to improve the translation.
0x00 Preface
It’s graduation season in Chinese universities (and breakup season), and a large number of senior students are printing and binding their final theses at campus print shops.
Unsurprisingly, the unattended public computers in the print shop have been infected by a USB virus. (Seems like even in a Tier-1 Chinese university, you should never trust undergrads’ computer skills)
Many students got infected when transferring files via USB drives. Based on descriptions from fellow netizens, this isn’t the classic “fake folder” .exe virus that we’ve all seen before. See here for that classic variant
By 3202 standards, I hadn’t encountered a real-world computer virus in ages. Out of curiosity, I grabbed a spare USB drive, created a few dummy files, and headed to the print shop to catch a live sample.
0x01 Sampling and Initial Observation
Plugged the USB drive directly into the print shop PC. Upon opening, a suspicious shortcut named Removable Disk(57GB) immediately appeared — sample successfully captured. I brought it back and inspected it on a Linux machine.
1 | chronos@localhost ~/virus $ tree . |
RECYCLER.BIN and \302\240 are two hidden folders. My original files were moved intact into the \302\240 folder. (\302\240 is actually U+00A0, No-Break Space (NBSP), so the folder name appears blank.)
The only non-hidden item is a shortcut named Removable Disk(57GB).lnk, which displays the removable disk icon and points to RECYCLER.BIN\1\CEFHelper.exe 500 44, tricking users into clicking it. When executed, it runs the payload while also opening \302\240 to reveal the original files — cleverly designed to avoid suspicion.
0x02 Static Analysis
The virus core consists of three binary files located in RECYCLER.BIN\1, whose purposes are initially unclear.
First, I scanned all three files using VirusTotal:
1 | CEFHelper.exe Detected by 0/71 |
CEFHelper.exe turned out to be a legitimate, digitally signed Avast utility — seemingly hijacked by the virus as a loader to bypass AV detection.
I used IDA Pro to analyze the .exe and .dll. (The .dat file’s format remains unknown for now.)
CEFHelper.exe
As suspected, it’s an extremely simple loader whose sole purpose is to load wsc.dll and pass arguments. So minimal that its entire logic fits in a single screenshot.
CEFHelper
wsc.dll
This one isn’t much more complex. It decrypts AvastAuth.dat using XOR, then executes the decrypted code in memory.
Decryption routine in wsc.dll
Thus, the real virus logic resides entirely within AvastAuth.dat.
To proceed with static analysis, I needed to decrypt AvastAuth.dat. The safest method would be writing a custom decryption tool based on the decompiled code from IDA.
However, reimplementing the decryption algorithm purely through static analysis is quite error-prone. (You never know if you missed a detail, and debugging would be pure guesswork.)
Since no anti-debugging techniques were observed, I decided to go dynamic — debugging the virus directly in a VM to extract the decrypted payload. (A somewhat reckless move.)
I configured IDA Pro with the correct startup parameters and set a breakpoint just before the final return. After triggering execution, the debugger paused successfully. Using stack pointers, I located the decrypted memory region and dumped it.
IDA Pro debugging and decryption
Even from the screenshot, clear PE header signatures are visible.
(The first attempt failed — I accidentally let the code run and infected the VM. Always be careful when dynamically analyzing malware.)
AvastAuth.dat (Behavior when launched from USB)
Opening the dumped binary in IDA Pro finally revealed the actual virus core.
The malware uses array-based string construction and GetProcAddress calls to evade AV detection. I cleaned up and renamed obfuscated strings and functions. (IDA Pro smartly inferred the function arguments afterward.)
Unusual method of API calls
The program first calls CommandLineToArgW to get the number of command-line arguments, then branches based on the count.
Branching based on argument count
When triggered by clicking the shortcut from the USB, it attempts to copy its three core files — CEFHelper.exe, wsc.dll, and AvastAuth.dat — to %allusersprofile%\AvastSvc\ (usually resolves to C:\ProgramData\AvastSvc\). If that fails, it tries %userprofile%\AvastSvc.
The AvastSvc folder is then hidden. CEFHelper.exe is renamed to AvastSvc.exe during copying. The malware adds AvastSvc.exe to the registry autorun key Software\Microsoft\Windows\CurrentVersion\Run, and immediately launches it.
Persistence via registry and file copy
After becoming persistent as AvastSvc.exe, it runs with different arguments and enters a new execution branch.
AvastAuth.dat (Behavior after persistence as AvastSvc.exe)
First, it scans for processes related to Adobe, attempts privilege escalation, kills those processes, and deletes associated files, folders, and registry autorun entries. (Exact motive unknown — possibly conflicts with Adobe software, or other Adobe-named malware variants?)
Targeted EXE names
Killing processes and cleaning up traces
USB Infection Thread
Next, it spawns a thread that waits for USB insertion. Upon detecting a new drive, it hides existing files, copies its components, and creates a fake shortcut. It also modifies the host’s registry to reset Explorer settings — specifically disabling “Show hidden files” and “Show protected operating system files”.
USB infection routine
If the host is online, it also scans the newly inserted USB for document files (.docx, .pdf, etc.) smaller than 300MB and stores them for later exfiltration. (The C2 server can request these files remotely.)
Stealing qualifying files from USB
Remote Control Thread
Further analysis reveals that beyond persistence and USB infection, the malware doesn’t initiate further attacks on its own. Instead, it connects to a C2 server to receive commands.
It starts a thread that connects to 45.142.166.112:443 via HTTP. First, it reports system information — including computer name, username, CPU details, and system ID — then enters a large switch-case structure based on the server’s response to execute various actions, and reports back the results.
Reporting system information
Depending on server commands, it can create/move/delete files or directories, gather more system data, add new startup entries, or upload stolen documents collected from USB drives.
Executing server commands
A lookup via ipinfo.io shows that 45.142.166.112 belongs to Owl, a Japanese VPS provider.
I ran the virus in my VM and tried to capture C2 traffic using Fiddler, but the server timed out from within China. Even through multiple proxy nodes and from overseas Windows machines, I only received 502 Bad Gateway. Likely, the C2 server is already down.
Fiddler capture attempt
At this point, all functionalities of the virus have been fully analyzed.
(Minor side note: I used a Windows VM from my HomeLab (risky move — don’t try this at home; if it escapes the VM, you’re done). The disk was in raw format without snapshots, so I couldn’t just roll back. Later, during cleanup, I found that both 360 and Huorong antivirus failed to detect the virus during quick scans. Looks like using a signed loader does help evade detection.)
0x03 Sandbox Dynamic Analysis
I tested the sample using AnyRun, an interactive sandbox. The analysis result can be found here.
The sandbox behavior matches my static analysis almost exactly, so no further details are needed.
0x04 Sample Download
The full package — original sample, decrypted payload, and IDA Pro database — is available at:
https://drive.google.com/file/d/16ew0bdX7dROw93Wl0Q3WJ0xjqf6X0F6m/view?usp=sharing
Use with caution and in a secure environment.
This article is licensed under the CC BY-NC-SA 4.0 license.
Author: lyc8503, Article link: https://blog.lyc8503.net/en/post/random-virus-reverse/
If this article was helpful or interesting to you, consider buy me a coffee¬_¬
Feel free to comment in English below o/