This is the latest variant of the previous virus. Recently, the spread of new variants of the virus has risen again. I hope everyone will pay attention.
Quote:
File:
Size: 74240 bytes
Modified: February 2, 2008, 0:03:34
MD5: 2DA55F2A36E852EE6FC96D34DD520979
SHA1: 44CE8F1C1A02591A88867F421C0C658B200D94C1
CRC32: E20E292D
1. After the virus runs, the following copies and files are derived:
Quote:
%systemroot%\system32\
Generate in the root directory of each partition to achieve the purpose of propagation through the USB flash drive.
And check whether they exist every once in a while, if they do not exist, write back immediately
2. Start two empty shell hidden processes, write the virus code into memory, and the two processes monitor each other, and then exit themselves
3. Create a registry project
Quote:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Discoverr Point to %systemroot%\system32\
To achieve the purpose of starting up the computer
4. Delete the following key to destroy the safe mode
Quote:
SYSTEM\\ControlSet001\\Control\\SafeBoot\\Minimal\\
SYSTEM\\ControlSet001\\Control\\SafeBoot\\Network\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\
5. Destroy the display of hidden files
Quote:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue value is changed to 0x0000000000
6. Try to end many security software processes
Quote:
for example:
....
7. Add image hijacking project to hijack the following processes (including but not limited to)
Quote:
ADVXDWIN
ALOGSERV
AMON9X
anti -
antivir
ANTS
ATCON
ATUPDATER
ATWATCH
AutoTrace
AVGCC32
AvgServ
AVGSERV9
AVGW
avkpop
AvkServ
avkservice
avkwctl9
AVWINNT
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVXW
BullGuard
cfgWiz
...
8. Find the following window and simulate key presses to deal with Kaspersky antivirus software
Quote:
Active defense alarm
Active defense warning
Active defense information
Then, the windows that "Allow", "Apply to all" and "Skip" will be found, and then the messages of WM_LBUTTONDOWN, WM_LBUTTONUP will be sent.
9. Start a download of other *s and viruses
Previously, I would read the download list of http://xxx.*.com/txt071219/ and download the virus according to the file list inside.
10. In addition, there are also functions to infect web files such as html, asp, aspx, php, jsp and other web pages and the function to lock IE homepage, but no tests found
Solution:
1. Decompress Icesword's compressed package and rename it to Run
Click the file in the menu bar - Settings Check the hook that prohibits thread creation and then confirm
Switch to the process column and find the red one to end the two processes in turn
Click the file button in the lower left corner
Enter the file list
Delete the following file %systemroot%\system32\
and the sum below each partition (must)
2. Decompress sreng and rename it to run
Start the project, registry, delete the following project
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Discoverr]
<%systemroot%\system32\> []
And delete all red IFEO projects
System Repair - Windows Shell/IE Select all Click the Repair button
Advanced Repair - Repair Safe Mode
3. Use antivirus software or manual methods to detect and kill other downloaded viruses or *s
Quote:
File:
Size: 74240 bytes
Modified: February 2, 2008, 0:03:34
MD5: 2DA55F2A36E852EE6FC96D34DD520979
SHA1: 44CE8F1C1A02591A88867F421C0C658B200D94C1
CRC32: E20E292D
1. After the virus runs, the following copies and files are derived:
Quote:
%systemroot%\system32\
Generate in the root directory of each partition to achieve the purpose of propagation through the USB flash drive.
And check whether they exist every once in a while, if they do not exist, write back immediately
2. Start two empty shell hidden processes, write the virus code into memory, and the two processes monitor each other, and then exit themselves
3. Create a registry project
Quote:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Discoverr Point to %systemroot%\system32\
To achieve the purpose of starting up the computer
4. Delete the following key to destroy the safe mode
Quote:
SYSTEM\\ControlSet001\\Control\\SafeBoot\\Minimal\\
SYSTEM\\ControlSet001\\Control\\SafeBoot\\Network\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\
5. Destroy the display of hidden files
Quote:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue value is changed to 0x0000000000
6. Try to end many security software processes
Quote:
for example:
....
7. Add image hijacking project to hijack the following processes (including but not limited to)
Quote:
ADVXDWIN
ALOGSERV
AMON9X
anti -
antivir
ANTS
ATCON
ATUPDATER
ATWATCH
AutoTrace
AVGCC32
AvgServ
AVGSERV9
AVGW
avkpop
AvkServ
avkservice
avkwctl9
AVWINNT
AVXMONITOR9X
AVXMONITORNT
AVXQUAR
AVXW
BullGuard
cfgWiz
...
8. Find the following window and simulate key presses to deal with Kaspersky antivirus software
Quote:
Active defense alarm
Active defense warning
Active defense information
Then, the windows that "Allow", "Apply to all" and "Skip" will be found, and then the messages of WM_LBUTTONDOWN, WM_LBUTTONUP will be sent.
9. Start a download of other *s and viruses
Previously, I would read the download list of http://xxx.*.com/txt071219/ and download the virus according to the file list inside.
10. In addition, there are also functions to infect web files such as html, asp, aspx, php, jsp and other web pages and the function to lock IE homepage, but no tests found
Solution:
1. Decompress Icesword's compressed package and rename it to Run
Click the file in the menu bar - Settings Check the hook that prohibits thread creation and then confirm
Switch to the process column and find the red one to end the two processes in turn
Click the file button in the lower left corner
Enter the file list
Delete the following file %systemroot%\system32\
and the sum below each partition (must)
2. Decompress sreng and rename it to run
Start the project, registry, delete the following project
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Discoverr]
<%systemroot%\system32\> []
And delete all red IFEO projects
System Repair - Windows Shell/IE Select all Click the Repair button
Advanced Repair - Repair Safe Mode
3. Use antivirus software or manual methods to detect and kill other downloaded viruses or *s