Recently, a friend asked me about how to clean these viruses. What I said verbally is not very detailed, so now I will post a detailed analysis and countermeasures.
1. Open the system's "Show Hidden Files" and download the corresponding antivirus software and Weijin EXE repair tool (important)
2. Check your system process and end the suspicious virus * program (user name is your current user) such as: logo1_.exe, and other disguised system *s. You can use tskill to end these processes.
3. Find the path where the * is located and delete it, then create a new file with the same name and set it to read-only property (this is very important), (usually in C:\windows, C:\Program Files\\ You can search to find the path where the * is located.
4. Modify the registry. Start all *s starting projects in the registry, search and Logo1_.exe in the registry and delete them.
5. Use Vijin Repair Tool to repair all infected exe files. (can be done in safe mode)
The following is the principle of this virus (collected online)
Process file: rundl132 or
Process location: windir
Program name: Troj_AutoCrat. or Viking
Program purpose: The backdoor * virus mainly steals information. Or the latest virus name: Chinese name: "Wijin" worm variant CP
Program author:
System process: No
Background program: Yes
Using the network: Yes
Hardware related: No
Safety level: Low
Process analysis: The virus modifies the file and implements self-start, using a file name similar to that. The virus opens the backdoor port after it runs, allowing malicious attackers to control the computer.
Virus name:
Chinese name: "Weijin" worm variant CP
Release to any executable directory.
The virus modifys the registry to create a Run/Timer entry to achieve self-start. The virus files include: 0~ and so on.
File number: CISRT2006004
Virus name: Worm. (AVP)
Virus alias: (Rising)
Virus size: 27,194 bytes
Boxing method: UPack
Sample MD5: fe498f7687658c33547d72151111b93f
Discovery time: 2006.5.30
Update time: 2006.6.1
Related viruses:
Communication method: spread through QQ tail and malicious website
Technical analysis:
1. Create a file after running:
%Windows%\
\(Current directory)
2. Create a self-start item:
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"="%Windows%\"
3. Insert or process.
4. The virus will use the net command to stop the VOD service:
net stop "Kingsoft AntiVirus Service"
5. Try to access the shared network ipc$ and admin$, and send ICMP to detect it with "Hello, World".
6. Some record files generated:
C:\
C:\
C:\
7. The variant Logo1_.exe will infect (bundled) .exe files. No infection (bundled) .exe files will be found in this test.
Infect (bundled) .exe files, but not (bundled) .exe in the following directory:
system
system32
windows
Documents and Settings
System Volume Information
Recycled
winnt
Program Files
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
MSN
Microsoft Frontpage
Movie Maker
MSN Gaming Zone
8. Try to modify the HOSTS file:
%System32%\drivers\etc\hosts
9. Add registry information:
[HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW]
"auto"="1"
10. Try to access the Internet to download other * viruses, including WOW, Zhengtu, QQ Tail and other *s.
1. Generate some virus files in the system directory, some, and some icons are QQ, the picture is Thunder, and real player. Anyway, it is easy to deceive your icons, and the names are all (32 before, it was 1, not l, but system file, isn't it very scammer?)
2. Replace the program files of Thunder and Winrar so that you cannot run these two programs. I don’t know whether the other programs have been replaced. Anyway, I saw this in these two software.
3. Open the process manager and you will see that xxx is a number and is random and under C:\Documents and Settings\your username\Local Settings\temp
1. Open the system's "Show Hidden Files" and download the corresponding antivirus software and Weijin EXE repair tool (important)
2. Check your system process and end the suspicious virus * program (user name is your current user) such as: logo1_.exe, and other disguised system *s. You can use tskill to end these processes.
3. Find the path where the * is located and delete it, then create a new file with the same name and set it to read-only property (this is very important), (usually in C:\windows, C:\Program Files\\ You can search to find the path where the * is located.
4. Modify the registry. Start all *s starting projects in the registry, search and Logo1_.exe in the registry and delete them.
5. Use Vijin Repair Tool to repair all infected exe files. (can be done in safe mode)
The following is the principle of this virus (collected online)
Process file: rundl132 or
Process location: windir
Program name: Troj_AutoCrat. or Viking
Program purpose: The backdoor * virus mainly steals information. Or the latest virus name: Chinese name: "Wijin" worm variant CP
Program author:
System process: No
Background program: Yes
Using the network: Yes
Hardware related: No
Safety level: Low
Process analysis: The virus modifies the file and implements self-start, using a file name similar to that. The virus opens the backdoor port after it runs, allowing malicious attackers to control the computer.
Virus name:
Chinese name: "Weijin" worm variant CP
Release to any executable directory.
The virus modifys the registry to create a Run/Timer entry to achieve self-start. The virus files include: 0~ and so on.
File number: CISRT2006004
Virus name: Worm. (AVP)
Virus alias: (Rising)
Virus size: 27,194 bytes
Boxing method: UPack
Sample MD5: fe498f7687658c33547d72151111b93f
Discovery time: 2006.5.30
Update time: 2006.6.1
Related viruses:
Communication method: spread through QQ tail and malicious website
Technical analysis:
1. Create a file after running:
%Windows%\
\(Current directory)
2. Create a self-start item:
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"="%Windows%\"
3. Insert or process.
4. The virus will use the net command to stop the VOD service:
net stop "Kingsoft AntiVirus Service"
5. Try to access the shared network ipc$ and admin$, and send ICMP to detect it with "Hello, World".
6. Some record files generated:
C:\
C:\
C:\
7. The variant Logo1_.exe will infect (bundled) .exe files. No infection (bundled) .exe files will be found in this test.
Infect (bundled) .exe files, but not (bundled) .exe in the following directory:
system
system32
windows
Documents and Settings
System Volume Information
Recycled
winnt
Program Files
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
MSN
Microsoft Frontpage
Movie Maker
MSN Gaming Zone
8. Try to modify the HOSTS file:
%System32%\drivers\etc\hosts
9. Add registry information:
[HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW]
"auto"="1"
10. Try to access the Internet to download other * viruses, including WOW, Zhengtu, QQ Tail and other *s.
1. Generate some virus files in the system directory, some, and some icons are QQ, the picture is Thunder, and real player. Anyway, it is easy to deceive your icons, and the names are all (32 before, it was 1, not l, but system file, isn't it very scammer?)
2. Replace the program files of Thunder and Winrar so that you cannot run these two programs. I don’t know whether the other programs have been replaced. Anyway, I saw this in these two software.
3. Open the process manager and you will see that xxx is a number and is random and under C:\Documents and Settings\your username\Local Settings\temp