Virus name: *-PSW. (Kaspersky)
Virus alias: Worm. (Rising), .110771 (Drug)
Virus size: 32,948 bytes
Box method: UPX
Sample MD5:772f4dfc995f7c1ad6d1978691190CDe
Sample SHA1:e9d2bcc5666a3433d5ef8cc836c4579f03f8b6cc
Related Viruses:
Dissemination method: through malicious web pages, other * downloads, USB drives and mobile hard drives
Technical Analysis
==========
After the * runs, it will copy itself to:
Code:
%ProgramFiles%\Internet Explorer\PLUGINS\
%ProgramFiles%\Internet Explorer\PLUGINS\
Create ShellExecuteHooks startup information:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F81F75C9-F974-4772-B72D-F28CBCD98C5F}"=""
[HKEY_CLASSES_ROOT\CLSID\{F81F75C9-F974-4772-B72D-F28CBCD98C5F}\InProcServer32]
@="%ProgramFiles%\Internet Explorer\PLUGINS\"
Code:
[HKEY_CURRENT_USER\Software\Tencent\Deta3]
"Ft"
Find the native E disk and generate it in its root directory:
and files, attempting to spread through USB.
After the * virus is run, friends will be automatically selected from the user's QQ to form a temporary discussion group. It will send a message to friends in the group with the content "/Here is my photo and help me support me, remember to reply to me, click to download it." Other users in the discussion group may be infected by viruses when opening the files in the link. The * will access the network to download other viruses, *s or [url=/Tag/93/]malicious programs[/url] to a temporary directory and run them.
Clear steps
==========
1. Delete the ShellExecuteHooks item created by the * (Start menu - Run - Enter "regedit" to enter the registry and find the instructions options in turn and follow the prompts):
Code:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F81F75C9-F974-4772-B72D-F28CBCD98C5F}"
[HKEY_CLASSES_ROOT\CLSID\{F81F75C9-F974-4772-B72D-F28CBCD98C5F}]
2. Restart the computer
3. Delete * file:
Code:
%ProgramFiles%\Internet Explorer\PLUGINS\
%ProgramFiles%\Internet Explorer\PLUGINS\
If E disk exists, delete:
Code:
E:\
E:\
4. Delete the registry information (Start menu - Run - Enter "regedit" to enter the registry and find the instructions options in turn and follow the prompts):
Code:
[HKEY_CURRENT_USER\Software\Tencent\Deta3]
Virus alias: Worm. (Rising), .110771 (Drug)
Virus size: 32,948 bytes
Box method: UPX
Sample MD5:772f4dfc995f7c1ad6d1978691190CDe
Sample SHA1:e9d2bcc5666a3433d5ef8cc836c4579f03f8b6cc
Related Viruses:
Dissemination method: through malicious web pages, other * downloads, USB drives and mobile hard drives
Technical Analysis
==========
After the * runs, it will copy itself to:
Code:
%ProgramFiles%\Internet Explorer\PLUGINS\
%ProgramFiles%\Internet Explorer\PLUGINS\
Create ShellExecuteHooks startup information:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F81F75C9-F974-4772-B72D-F28CBCD98C5F}"=""
[HKEY_CLASSES_ROOT\CLSID\{F81F75C9-F974-4772-B72D-F28CBCD98C5F}\InProcServer32]
@="%ProgramFiles%\Internet Explorer\PLUGINS\"
Code:
[HKEY_CURRENT_USER\Software\Tencent\Deta3]
"Ft"
Find the native E disk and generate it in its root directory:
and files, attempting to spread through USB.
After the * virus is run, friends will be automatically selected from the user's QQ to form a temporary discussion group. It will send a message to friends in the group with the content "/Here is my photo and help me support me, remember to reply to me, click to download it." Other users in the discussion group may be infected by viruses when opening the files in the link. The * will access the network to download other viruses, *s or [url=/Tag/93/]malicious programs[/url] to a temporary directory and run them.
Clear steps
==========
1. Delete the ShellExecuteHooks item created by the * (Start menu - Run - Enter "regedit" to enter the registry and find the instructions options in turn and follow the prompts):
Code:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F81F75C9-F974-4772-B72D-F28CBCD98C5F}"
[HKEY_CLASSES_ROOT\CLSID\{F81F75C9-F974-4772-B72D-F28CBCD98C5F}]
2. Restart the computer
3. Delete * file:
Code:
%ProgramFiles%\Internet Explorer\PLUGINS\
%ProgramFiles%\Internet Explorer\PLUGINS\
If E disk exists, delete:
Code:
E:\
E:\
4. Delete the registry information (Start menu - Run - Enter "regedit" to enter the registry and find the instructions options in turn and follow the prompts):
Code:
[HKEY_CURRENT_USER\Software\Tencent\Deta3]