File name:
File size: 116464 bytes
AV naming:
*-PSW.(Kaspersky)
.(Rising)
Worm/(AVG)
Writing language: delphi
File MD5: 3b08963e3b2cae9e3b4dc38b21b2a69d
Virus type: * horse
Behavioral Analysis:
1. Release virus files:
C:\WINDOWS\system32\ 113759 Bytes
C:\WINDOWS\system32\ 96768 bytes
C:\WINDOWS\system32\ 96768 bytes
2. Add the registry and start the computer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
kava = REG_SZ, "C:\windows\system32\"
3. Modify the registry and record the version of the download address:
HKEY_CLASSES_ROOT\CLSID\MADOWN
Currently: "cdfty1.7"
4. Start the IE process, connect to the network to download the *, and release:
C:\WINDOWS\system32\
C:\WINDOWS\system32\
5. And, inject the system process, monitor the mouse and keyboard operations, and steal the *.
6. Release the driver, name it randomly, and then delete itself.
7. Modify the registry and destroy the display hidden files function.
8. Traverse the disk and generate virus files and
Solution:
1. Download SREng and disconnect the network.
2. Open SREng and delete the registry key:
(registry value) kava and (registry value) tava
3. Restart the computer and delete the file:
C:\WINDOWS\system32\ 113759 Bytes
C:\WINDOWS\system32\ 96768 bytes
C:\WINDOWS\system32\ 96768 bytes
C:\WINDOWS\system32\
C:\WINDOWS\system32\
There are also virus files under each disk, and it is also deleted. It is recommended to use winrar.
4. Others:
Modify the registry to repair the function of displaying hidden files:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
(*)(registry value) Hidden
REG_DWORD, 2 Modify to REG_DWORD, 1
(*)(registry value) ShowSuperHidden
REG_DWORD, 0 Modify to REG_DWORD, 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
(*)(registry value) CheckedValue
REG_DWORD, 0 is modified to REG_DWORD, 1
File size: 116464 bytes
AV naming:
*-PSW.(Kaspersky)
.(Rising)
Worm/(AVG)
Writing language: delphi
File MD5: 3b08963e3b2cae9e3b4dc38b21b2a69d
Virus type: * horse
Behavioral Analysis:
1. Release virus files:
C:\WINDOWS\system32\ 113759 Bytes
C:\WINDOWS\system32\ 96768 bytes
C:\WINDOWS\system32\ 96768 bytes
2. Add the registry and start the computer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
kava = REG_SZ, "C:\windows\system32\"
3. Modify the registry and record the version of the download address:
HKEY_CLASSES_ROOT\CLSID\MADOWN
Currently: "cdfty1.7"
4. Start the IE process, connect to the network to download the *, and release:
C:\WINDOWS\system32\
C:\WINDOWS\system32\
5. And, inject the system process, monitor the mouse and keyboard operations, and steal the *.
6. Release the driver, name it randomly, and then delete itself.
7. Modify the registry and destroy the display hidden files function.
8. Traverse the disk and generate virus files and
Solution:
1. Download SREng and disconnect the network.
2. Open SREng and delete the registry key:
(registry value) kava and (registry value) tava
3. Restart the computer and delete the file:
C:\WINDOWS\system32\ 113759 Bytes
C:\WINDOWS\system32\ 96768 bytes
C:\WINDOWS\system32\ 96768 bytes
C:\WINDOWS\system32\
C:\WINDOWS\system32\
There are also virus files under each disk, and it is also deleted. It is recommended to use winrar.
4. Others:
Modify the registry to repair the function of displaying hidden files:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
(*)(registry value) Hidden
REG_DWORD, 2 Modify to REG_DWORD, 1
(*)(registry value) ShowSuperHidden
REG_DWORD, 0 Modify to REG_DWORD, 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
(*)(registry value) CheckedValue
REG_DWORD, 0 is modified to REG_DWORD, 1