Where is there a bear cat burning fragrance? ? ? ? ?
It’s not that there is a panda burning incense, but that all the EXE icons become a panda burning incense with 3 incenses. The icon is very cute
Pay a manual method:
Panda Burning Incense Variety Solution
Virus name: Worm. (Kaspersky)
Virus alias: (Rising)
.22835 (ADD)
Virus size: 22,886 bytes
Boxing method: UPack
Sample MD5: 9749216a37d57cf4b2e528c027252062
Sample SHA1: 5d3222d8ab6fc11f899eff32c2c8d3cd50cbd755
Discovery time: 2006.11
Updated: 2006.11
Related Viruses:
Method of dissemination: spread through malicious web pages, download other *s, and can be spread through local area networks, mobile storage devices, etc.
Technical Analysis
==========
It is another variant of "Panda Burning Incense". Like the previous variant, it uses the white-based panda burning Incense icon. After the virus runs, it will copy itself to the system directory:
%System%\drivers\
Create a startup item:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"svcshare"="%System%\drivers\"
Modify the registry information to interfere with the "Show all files and folders" setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000
Generate a copy in the root directory of each partition:
X:\
X:\
content:
[Copy to clipboard]
CODE:
[AutoRun]
OPEN=
shellexecute=
shell\Auto\command=
Try to close the following window:
QQKav
QQAV
VirusScan
Symantec AntiVirus
Duba
Windows
esteem procs
System Safety Monitor
Wrapped gift Killer
Winsock Expert
msctls_statusbar32
pjf(ustc)
IceSword
End some rival processes:
Logo1_.exe
Logo_1.exe
Disable a range of services:
Schedule
sharedaccess
RsCCenter
RsRavMon
RsCCenter
RsRavMon
KVWSC
KVSrvXP
kavsvc
AVP
McAfeeFramework
McShield
McTaskManager
navapsvc
wscsvc
KPfwSvc
SNDSrvc
ccProxy
ccEvtMgr
ccSetMgr
SPBBCSvc
Symantec Core LC
NPFMntor
MskService
FireSvc
Delete several security software startup items information:
RavTask
KvMonXP
kav
KAVPersonal50
McAfeeUpdaterUI
Network Associates Error Reporting Service
ShStatEXE
yassistse
Use the net share command to delete the management share:
net share X$ /del /y
net share admin$ /del /y
net share IPC$ /del /y
Traverse the directory and infect exe, com, scr, and pif files in other directories except the following system directories:
X:\WINDOWS
X:\Winnt
X:\System Volume Information
X:\Recycled
%ProgramFiles%\Windows NT
%ProgramFiles%\WindowsUpdate
%ProgramFiles%\Windows Media Player
%ProgramFiles%\Outlook Express
%ProgramFiles%\Internet Explorer
%ProgramFiles%\NetMeeting
%ProgramFiles%\Common Files
%ProgramFiles%\ComPlus Applications
%ProgramFiles%\Messenger
%ProgramFiles%\InstallShield Installation Information
%ProgramFiles%\MSN
%ProgramFiles%\Microsoft Frontpage
%ProgramFiles%\Movie Maker
%ProgramFiles%\MSN Gamin Zone
Bundle yourself to the front end of the infected file and add tag information at the end:
QUOTE:
.WhBoy{original file name}.exe.{original file size}.
Unlike the previous variant, although this virus body is 22886 bytes, it only has 22838 bytes bundled in the front section of the file. An error will occur after the infected file is run, and the original normal file {original file name}.exe will not be released like the previous variant.
In addition, it was found that the virus will overwrite a small amount of exe and delete the .gho file.
The virus also attempts to use a weak password to access other computers on the LAN:
password
harley
golf
pussy
mustang
shadow
fish
qwerty
baseball
letmein
ccc
admin
abc
pass
passwd
database
abcd
abc123
sybase
123qwe
server
computer
super
123asd
ihavenopass
godblessyou
enable
alpha
1234qwer
123abc
aaa
patrick
pat
administrator
root
sex
god
foobar
secret
test
test123
temp
temp123
win
asdf
pwd
qwer
yxcv
zxcv
home
xxx
owner
login
Login
love
mypc
mypc123
admin123
mypass
mypass123
Administrator
Guest
admin
Root
Clear steps
==========
It’s not that there is a panda burning incense, but that all the EXE icons become a panda burning incense with 3 incenses. The icon is very cute
Pay a manual method:
Panda Burning Incense Variety Solution
Virus name: Worm. (Kaspersky)
Virus alias: (Rising)
.22835 (ADD)
Virus size: 22,886 bytes
Boxing method: UPack
Sample MD5: 9749216a37d57cf4b2e528c027252062
Sample SHA1: 5d3222d8ab6fc11f899eff32c2c8d3cd50cbd755
Discovery time: 2006.11
Updated: 2006.11
Related Viruses:
Method of dissemination: spread through malicious web pages, download other *s, and can be spread through local area networks, mobile storage devices, etc.
Technical Analysis
==========
It is another variant of "Panda Burning Incense". Like the previous variant, it uses the white-based panda burning Incense icon. After the virus runs, it will copy itself to the system directory:
%System%\drivers\
Create a startup item:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"svcshare"="%System%\drivers\"
Modify the registry information to interfere with the "Show all files and folders" setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000000
Generate a copy in the root directory of each partition:
X:\
X:\
content:
[Copy to clipboard]
CODE:
[AutoRun]
OPEN=
shellexecute=
shell\Auto\command=
Try to close the following window:
QQKav
QQAV
VirusScan
Symantec AntiVirus
Duba
Windows
esteem procs
System Safety Monitor
Wrapped gift Killer
Winsock Expert
msctls_statusbar32
pjf(ustc)
IceSword
End some rival processes:
Logo1_.exe
Logo_1.exe
Disable a range of services:
Schedule
sharedaccess
RsCCenter
RsRavMon
RsCCenter
RsRavMon
KVWSC
KVSrvXP
kavsvc
AVP
McAfeeFramework
McShield
McTaskManager
navapsvc
wscsvc
KPfwSvc
SNDSrvc
ccProxy
ccEvtMgr
ccSetMgr
SPBBCSvc
Symantec Core LC
NPFMntor
MskService
FireSvc
Delete several security software startup items information:
RavTask
KvMonXP
kav
KAVPersonal50
McAfeeUpdaterUI
Network Associates Error Reporting Service
ShStatEXE
yassistse
Use the net share command to delete the management share:
net share X$ /del /y
net share admin$ /del /y
net share IPC$ /del /y
Traverse the directory and infect exe, com, scr, and pif files in other directories except the following system directories:
X:\WINDOWS
X:\Winnt
X:\System Volume Information
X:\Recycled
%ProgramFiles%\Windows NT
%ProgramFiles%\WindowsUpdate
%ProgramFiles%\Windows Media Player
%ProgramFiles%\Outlook Express
%ProgramFiles%\Internet Explorer
%ProgramFiles%\NetMeeting
%ProgramFiles%\Common Files
%ProgramFiles%\ComPlus Applications
%ProgramFiles%\Messenger
%ProgramFiles%\InstallShield Installation Information
%ProgramFiles%\MSN
%ProgramFiles%\Microsoft Frontpage
%ProgramFiles%\Movie Maker
%ProgramFiles%\MSN Gamin Zone
Bundle yourself to the front end of the infected file and add tag information at the end:
QUOTE:
.WhBoy{original file name}.exe.{original file size}.
Unlike the previous variant, although this virus body is 22886 bytes, it only has 22838 bytes bundled in the front section of the file. An error will occur after the infected file is run, and the original normal file {original file name}.exe will not be released like the previous variant.
In addition, it was found that the virus will overwrite a small amount of exe and delete the .gho file.
The virus also attempts to use a weak password to access other computers on the LAN:
password
harley
golf
pussy
mustang
shadow
fish
qwerty
baseball
letmein
ccc
admin
abc
pass
passwd
database
abcd
abc123
sybase
123qwe
server
computer
super
123asd
ihavenopass
godblessyou
enable
alpha
1234qwer
123abc
aaa
patrick
pat
administrator
root
sex
god
foobar
secret
test
test123
temp
temp123
win
asdf
pwd
qwer
yxcv
zxcv
home
xxx
owner
login
Login
love
mypc
mypc123
admin123
mypass
mypass123
Administrator
Guest
admin
Root
Clear steps
==========