File number: CISRT2007002
Virus name: *. (Kaspersky)
Virus alias: (Rising)
.28688 (ADD)
Virus size: 27,900 bytes
Box method: UPX
Sample MD5: b95d1102bcddfa26fb9a3f40129d2353
Sample SHA1: 0e52cbcc5fedf47408bad58aa1f0aaf9e00eeae2
Discovery time: 2007.1
Updated: 2007.1
Related Viruses:
Method of transmission: QQ messages, malicious web pages, other virus downloads
Technical Analysis
==========
This is a QQ tail *. After running, it releases the dll library file:
Code:
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\
Create ShellExecuteHooks startup information:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C217767F-E340-49B8-85D3-3A72B9CD652F}"=""
[HKEY_CLASSES_ROOT\CLSID\{C217767F-E340-49B8-85D3-3A72B9CD652F}\InProcServer32]
@="%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\"
Send messages to QQ friends:
Quote:
Let's talk about this website
Clear steps
1. Delete the ShellExecuteHooks startup information of the *:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C217767F-E340-49B8-85D3-3A72B9CD652F}"=""
[HKEY_CLASSES_ROOT\CLSID\{C217767F-E340-49B8-85D3-3A72B9CD652F}]
2. Restart the computer
3. Delete * file:
Code:
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\
Virus name: *. (Kaspersky)
Virus alias: (Rising)
.28688 (ADD)
Virus size: 27,900 bytes
Box method: UPX
Sample MD5: b95d1102bcddfa26fb9a3f40129d2353
Sample SHA1: 0e52cbcc5fedf47408bad58aa1f0aaf9e00eeae2
Discovery time: 2007.1
Updated: 2007.1
Related Viruses:
Method of transmission: QQ messages, malicious web pages, other virus downloads
Technical Analysis
==========
This is a QQ tail *. After running, it releases the dll library file:
Code:
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\
Create ShellExecuteHooks startup information:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C217767F-E340-49B8-85D3-3A72B9CD652F}"=""
[HKEY_CLASSES_ROOT\CLSID\{C217767F-E340-49B8-85D3-3A72B9CD652F}\InProcServer32]
@="%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\"
Send messages to QQ friends:
Quote:
Let's talk about this website
Clear steps
1. Delete the ShellExecuteHooks startup information of the *:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C217767F-E340-49B8-85D3-3A72B9CD652F}"=""
[HKEY_CLASSES_ROOT\CLSID\{C217767F-E340-49B8-85D3-3A72B9CD652F}]
2. Restart the computer
3. Delete * file:
Code:
%ProgramFiles%\Common Files\Microsoft Shared\MSInfo\