After testing, it was found that the above software was not usefulDownload this latestThis humorous and destructive virus may have been hit by many recently. Let’s take a look at this technical analysis:
1. How many variants of panda burning incense are there?
So far, generally speaking, there are currently four major variants. We have analyzed variant A. See this version. Variable B is the process that everyone often talks about. The full path it hides is: %SystemRoot%/. The other parts are basically the same as variant A.
The main change of variant C is to fight antivirus software, especially the super patrolman's special killing. The old version of this special killing was built into the tool list by 360 Security Guard. Variety C looks for the title of the window with the word Super Patrol, that is, close the window. Even if a new text file named Super Patrol is created on the desktop, it will be closed with Notepad. Therefore, many netizens downloaded the old version of the special killer and complained that they were closed when they were opened.
At the same time, the Panda Burning Incense Virus will also shut down some other common process management, such as the commonly used Windows Task Manager. The method to deal with this variant is to use a process that is not closed. It is recommended to use X-PS, download address and instructions for use:/html/research/2006/0718/, close the process named. Then when using the patrol special killing, of course, you can also download the latest super patrol special killing to use it to check and kill.
Variety D is a variant that has only appeared recently. After this variant is infected with a file, the icon does not look like a panda. When the variant is infected, 100 icon files will be found in the temporary directory. There are other variants, which are basically modified and downloaded different backdoor versions to avoid killing.
2. Destruction of the system:
Panda Burning Incense on an infected system will close the antivirus software process, delete the antivirus software registry item, disable the antivirus software services, modify the resource manager to not display hidden files, etc.
The following command will also be called to delete the share:
/c net share C$ /del /y
/c net share D$ /del /y
/c net share admin$ /del /y
....
Old variants will fully infect system files, while new variants will infect files other than the system directory, that is, try not to infect Microsoft's own files.
New and old variants will be deleted.gho. Most people will use Norton Ghost for backup after the system is installed, and Pandas will maliciously delete this backup file.
One of the variants will also generate desktop_.ini in the infection directory.
The biggest destruction is that Panda Burning Incense itself is a kind of downloader, which will download backdoors, *s, various account stealing programs, and even DDoS programs on designated websites.
3. Why can't it be cleaned up? How to thoroughly detect and kill:
Someone used the Super Patrol Police and Patrol Police to kill a machine and killed it, but soon found that it was infected. This is because after Panda Shaoxiang infected a system, it opened a separate thread for Class C network scanning and infection, accessed port 139/445 of the same network segment, guessed IPC$ password and searched for sharing, and infected the shared files. In this way, as long as there is a machine on the Internet and the surviving panda incense virus, there is still a possibility of reinfecting the entire network.
Many friends have file sharing servers and movie servers on the network, while many netizens have empty passwords or simple passwords like 123 in order to facilitate the system login passwords.
There is an IE on the LAN that did not fight the virus and browsed the website that had panda burning virus, but was unaware of it.
The way to detect and kill is:
1. Disconnect the network and use the Super Patrol Panda to burn incense to kill, and each machine will be fully anti-virus.
2. Modify the password and cancel the local shared directory.
3. After the inspection and killing is completed, use the Super Patrol patch to check that the system has not been patched. Apply patches in time, especially IE patches.
1. How many variants of panda burning incense are there?
So far, generally speaking, there are currently four major variants. We have analyzed variant A. See this version. Variable B is the process that everyone often talks about. The full path it hides is: %SystemRoot%/. The other parts are basically the same as variant A.
The main change of variant C is to fight antivirus software, especially the super patrolman's special killing. The old version of this special killing was built into the tool list by 360 Security Guard. Variety C looks for the title of the window with the word Super Patrol, that is, close the window. Even if a new text file named Super Patrol is created on the desktop, it will be closed with Notepad. Therefore, many netizens downloaded the old version of the special killer and complained that they were closed when they were opened.
At the same time, the Panda Burning Incense Virus will also shut down some other common process management, such as the commonly used Windows Task Manager. The method to deal with this variant is to use a process that is not closed. It is recommended to use X-PS, download address and instructions for use:/html/research/2006/0718/, close the process named. Then when using the patrol special killing, of course, you can also download the latest super patrol special killing to use it to check and kill.
Variety D is a variant that has only appeared recently. After this variant is infected with a file, the icon does not look like a panda. When the variant is infected, 100 icon files will be found in the temporary directory. There are other variants, which are basically modified and downloaded different backdoor versions to avoid killing.
2. Destruction of the system:
Panda Burning Incense on an infected system will close the antivirus software process, delete the antivirus software registry item, disable the antivirus software services, modify the resource manager to not display hidden files, etc.
The following command will also be called to delete the share:
/c net share C$ /del /y
/c net share D$ /del /y
/c net share admin$ /del /y
....
Old variants will fully infect system files, while new variants will infect files other than the system directory, that is, try not to infect Microsoft's own files.
New and old variants will be deleted.gho. Most people will use Norton Ghost for backup after the system is installed, and Pandas will maliciously delete this backup file.
One of the variants will also generate desktop_.ini in the infection directory.
The biggest destruction is that Panda Burning Incense itself is a kind of downloader, which will download backdoors, *s, various account stealing programs, and even DDoS programs on designated websites.
3. Why can't it be cleaned up? How to thoroughly detect and kill:
Someone used the Super Patrol Police and Patrol Police to kill a machine and killed it, but soon found that it was infected. This is because after Panda Shaoxiang infected a system, it opened a separate thread for Class C network scanning and infection, accessed port 139/445 of the same network segment, guessed IPC$ password and searched for sharing, and infected the shared files. In this way, as long as there is a machine on the Internet and the surviving panda incense virus, there is still a possibility of reinfecting the entire network.
Many friends have file sharing servers and movie servers on the network, while many netizens have empty passwords or simple passwords like 123 in order to facilitate the system login passwords.
There is an IE on the LAN that did not fight the virus and browsed the website that had panda burning virus, but was unaware of it.
The way to detect and kill is:
1. Disconnect the network and use the Super Patrol Panda to burn incense to kill, and each machine will be fully anti-virus.
2. Modify the password and cancel the local shared directory.
3. After the inspection and killing is completed, use the Super Patrol patch to check that the system has not been patched. Apply patches in time, especially IE patches.