"A few days ago, I got panda burned incense from the computer. I just drove away the 'national treasure' for a few days. Today, after downloading a gadget online, the machine started to slow down again. Several program icons turned into 'handsome guy' avatars, with their eyes prominently like light bulbs. I guess I got infected with the virus again. I was really depressed!" user Mr. Chen said helplessly.
Kingsoft Antivirus Antivirus Antivirus expert Dai Guangjian pointed out that this is an infected virus called "Wonderful Boy" (), and some people call it "Light Bulb Male" or "Dancing Male Head". The virus can infect executable files with extensions exe and scr and spread over the local area network, and when the network is available, the virus will also download other viruses from the Internet.
According to experts from Kingsoft Antivirus, "Light Bulb Male" and "Panda Incense Burning" are very similar in terms of viral behavior. Although "Light Bulb Male" has not yet had a large-scale outbreak, users still need to be vigilant. Below is a detailed analysis of this virus by the experts of the Antivirus, hoping it will be helpful to users.
"Wonderful Boy" () Viral Behavior Analysis
1. Release the viral body file to C:/Program Files/Internet Explorer/, and release the virus dll file to C:/Program Files/Internet Explorer/PLUGINS/. If the infected file is contained, create the normal file process and run it.
2. Add the following registry key:
[HKLM/Software/Microsoft/Windows/CurrentVersion/Run]
"Internet Explorer Server"="C:/Program Files/Internet Explorer/"
3. Start the IE process, inject the virus file into the IE process, read the virus download address from the following URL, and download the virus, which is encrypted.
http:///vip/
The decrypted virus address is as follows, which are a variety of online game *s:
http:///vip/
http:///vip/
http:///vip/
http:///vip/
http:///vip/
http:///vip/
4. Traverse the local disk, search for all files with .exe and .scr extensions, and infect.
5. Try to spread yourself through the LAN writing //C$//. If the LAN is successfully infected remotely, the system will automatically run and start the virus after restarting.
6. The file after the virus is infected becomes the following icon
How to deal with it:
1. Restart the system, press F8, and select the safe mode with network connection
2. Enter Kingsoft Antivirus installation directory, execute directly, and upgrade the antivirus software to the latest.
3. Full disk scan to repair infected execution files
4. Delete the registry startup key added by the virus HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
Internet Explorer Server--->C:/Program Files/Internet Explorer/
and file C:/Program Files/Internet Explorer/
Protection suggestions:
1. It is recommended to install system patches through Windows Update or Kingsoft Antivirus vulnerability repair tools at least once a month;
2. Set an administrator password that is complex enough to the system administrator account. The secure password is a combination of letters, numbers, and special characters, with no less than 7 digits.
Modify method: Right-click on my computer, select Management, browse to local users and groups, find the administrator user in the space on the right, right-click, and select Modify password.
3. Through the control panel, keep the Windows firewall enabled, or ensure that Kingsoft NetDart is enabled, which can effectively block the invasion of viruses.
4. Close unnecessary shared files by right-clicking on my computer, selecting Management, browsing to the shared folder, and stopping unnecessary shared folders in the right pane.
Kingsoft Antivirus Antivirus Antivirus expert Dai Guangjian pointed out that this is an infected virus called "Wonderful Boy" (), and some people call it "Light Bulb Male" or "Dancing Male Head". The virus can infect executable files with extensions exe and scr and spread over the local area network, and when the network is available, the virus will also download other viruses from the Internet.
According to experts from Kingsoft Antivirus, "Light Bulb Male" and "Panda Incense Burning" are very similar in terms of viral behavior. Although "Light Bulb Male" has not yet had a large-scale outbreak, users still need to be vigilant. Below is a detailed analysis of this virus by the experts of the Antivirus, hoping it will be helpful to users.
"Wonderful Boy" () Viral Behavior Analysis
1. Release the viral body file to C:/Program Files/Internet Explorer/, and release the virus dll file to C:/Program Files/Internet Explorer/PLUGINS/. If the infected file is contained, create the normal file process and run it.
2. Add the following registry key:
[HKLM/Software/Microsoft/Windows/CurrentVersion/Run]
"Internet Explorer Server"="C:/Program Files/Internet Explorer/"
3. Start the IE process, inject the virus file into the IE process, read the virus download address from the following URL, and download the virus, which is encrypted.
http:///vip/
The decrypted virus address is as follows, which are a variety of online game *s:
http:///vip/
http:///vip/
http:///vip/
http:///vip/
http:///vip/
http:///vip/
4. Traverse the local disk, search for all files with .exe and .scr extensions, and infect.
5. Try to spread yourself through the LAN writing //C$//. If the LAN is successfully infected remotely, the system will automatically run and start the virus after restarting.
6. The file after the virus is infected becomes the following icon
How to deal with it:
1. Restart the system, press F8, and select the safe mode with network connection
2. Enter Kingsoft Antivirus installation directory, execute directly, and upgrade the antivirus software to the latest.
3. Full disk scan to repair infected execution files
4. Delete the registry startup key added by the virus HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
Internet Explorer Server--->C:/Program Files/Internet Explorer/
and file C:/Program Files/Internet Explorer/
Protection suggestions:
1. It is recommended to install system patches through Windows Update or Kingsoft Antivirus vulnerability repair tools at least once a month;
2. Set an administrator password that is complex enough to the system administrator account. The secure password is a combination of letters, numbers, and special characters, with no less than 7 digits.
Modify method: Right-click on my computer, select Management, browse to local users and groups, find the administrator user in the space on the right, right-click, and select Modify password.
3. Through the control panel, keep the Windows firewall enabled, or ensure that Kingsoft NetDart is enabled, which can effectively block the invasion of viruses.
4. Close unnecessary shared files by right-clicking on my computer, selecting Management, browsing to the shared folder, and stopping unnecessary shared folders in the right pane.