Virus name: *-PSW. [dll] (Kaspersky), Rootkit. [sys] (Kaspersky)
Virus alias:.[exe] (Rising),.[dll] (Rising)
. [sys] (Rising)
Virus size: 49,664 bytes
How to add shells:
Sample MD5:335838f3badbc6532211e19988f008a9
Sample SHA1: 1c13b0d60b8838dcb5581e21f0526b1d6412a5d8
Discovery time: 2007.7
Updated: 2007.7
Related Viruses:
Dissemination method: spread through malicious websites, download other *s
Technical Analysis
==========
After running the *, copy itself to the system directory:
%Windows%\system\
And release the dll:
%Windows%\system\
Release the driver in the current position:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fOxkb]
The * hides its own processes and is not visible in process management programs such as Task Manager and ProceXP.
Create a startup item:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QQREST"="%Windows%\system\"
Rewrite about every 5 seconds.
Clear steps
==========
1. Use IceSword to end the * process:
%Windows%\system\
2. Delete the file (if the file cannot be deleted when prompted, go to down. Download the Feltuate Force Deleteer tool for forced deletion):
%Windows%\system\
%Windows%\system\
3. Delete the * startup item (detailed steps: Open SREng - Start Project - Register): SREng software can also be downloaded from down.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QQREST"="%Windows%\system\"
4. Delete the driver information added by the * in the registry (detailed steps: Open SREng - Start the project - Driver):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fOxkb]
5. Delete the driver file released by the * (if the file cannot be deleted when prompted, go to down. Download the Fel * Forced Deleteer tool for forced deletion):
Virus alias:.[exe] (Rising),.[dll] (Rising)
. [sys] (Rising)
Virus size: 49,664 bytes
How to add shells:
Sample MD5:335838f3badbc6532211e19988f008a9
Sample SHA1: 1c13b0d60b8838dcb5581e21f0526b1d6412a5d8
Discovery time: 2007.7
Updated: 2007.7
Related Viruses:
Dissemination method: spread through malicious websites, download other *s
Technical Analysis
==========
After running the *, copy itself to the system directory:
%Windows%\system\
And release the dll:
%Windows%\system\
Release the driver in the current position:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fOxkb]
The * hides its own processes and is not visible in process management programs such as Task Manager and ProceXP.
Create a startup item:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QQREST"="%Windows%\system\"
Rewrite about every 5 seconds.
Clear steps
==========
1. Use IceSword to end the * process:
%Windows%\system\
2. Delete the file (if the file cannot be deleted when prompted, go to down. Download the Feltuate Force Deleteer tool for forced deletion):
%Windows%\system\
%Windows%\system\
3. Delete the * startup item (detailed steps: Open SREng - Start Project - Register): SREng software can also be downloaded from down.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QQREST"="%Windows%\system\"
4. Delete the driver information added by the * in the registry (detailed steps: Open SREng - Start the project - Driver):
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fOxkb]
5. Delete the driver file released by the * (if the file cannot be deleted when prompted, go to down. Download the Fel * Forced Deleteer tool for forced deletion):