Double-Gun Trojan which uses game plug-in to spread, is updated to V4.0 and looking for trouble

Oct 31, 2018Elley
Learn more about 360 Total Security

In July 2017, 360 Security Center discovered the first virus Trojan infected with MBR and VBR. It was named “Double- Gun”. In the following year, we found that the virus author frequently updated the virus version to increase the profitability and ability to fight against security software, and the virus transmission channels are constantly changing.

Recently, we found that the latest version of the “Double-Gun” Trojan (referred to as “Double-Gun 4”) on the basis of the original virus module, which increased the hijacking of the virus module of the e-commerce website. According to the related analysis, we found that the virus module is a sub-module of the virus disclosed by other experts. Also, based on the debugging information of the two family virus samples, we found that these two types of Trojans should be from the same virus author.

Double-Gun 4 uses the virus module to achieve traffic hijacking on the e-commerce website. Based on the timing of the virus update, the virus author should be thinking about making a traffic promotion during the November shopping period. Fees, the benefits of a single homepage lockout can no longer meet the greedy desire of the virus writer, hence the writer has targeted the “Double-Gun” to a larger battlefield.

Transmission
Double-Gun 4 Trojan uses a game plug-in in a digital resource network, a large number of download stations such as the West West Software Park, Snail Entertainment Network and so on. Take a game plug-in called “Anti-war Contract” as an example to restore the entire infection process. On the download page, users can see that they only need to replace log.dll with the anti-war game directory. What the user does not know is that log.dll is actually a Trojan releaser for releasing subsequent virus modules. Screenshot of the virus download page:

After log.dll is replaced in the anti-war game directory, it will be loaded by the LoadingOptimize.exe process with the start of the anti-war game, release the virus file orange.dll, and call its export function StartEngine. After these, the export function will be calculated according to the current calculation. The system digits release the corresponding virus driver TexDriver.sys. TexDriver.sys will download the twin gun driver NtProtect.sys, further infect the system MBR and VBR, the complete infection process, as shown below:

As shown in the above figure, MBR and VBR will decrypt the virus driver NtBoot.sys to detect the NtProtect.sys driver during the system startup phase. If the driver service is abnormal, the virus driver will be downloaded and repaired to form mutual protection, so that detecting Double-Gun is extremely difficult.

Recommendation
1. In recent years, game plug-ins have become one of the main ways of virus transmission. However, the security of plug-ins spread on the Internet cannot be guaranteed. Hence, we recommend that users do not use such programs.

2, “Double-Gun” Trojan is strong and difficult to kill. It will also infect the system MBR and VBR, many anti-virus software does not support the killing of the boot area, so there will be frequent detection, but cannot be completely removed. Fortunately, 360 Total Security has created a powerful killing technology for such Trojans. Thus, it is recommended that users download 360 Total Security for protecting their PC.

Learn more about 360 Total Security