Virus name: <Rising><MACFEE.Kaba will not report>
MD5 216a3783443fc9c46fe4d32aa13c390f
After running the virus sample, automatically copy the copy to the %SYSTEMroot% directory.
%SYSTEMroot%\
%SYSTEMroot%\ge_1237.exe
X:\
X:\
X:\
X refers to non-system drive letter
%systemroot% is an environment variable,
Contents inside:
[autorun]
open=.\
shell\1=Open
shell\1\Command=.\
shell\2\=Browser
shell\2\Command=.\
shellexecute=.\
[autorun]
open=.\
shell\1=Open
shell\1\Command=.\
shell\2\=Browser
shell\2\Command=.\
shellexecute=.\
Run IE, %SYSTEMroot%\ge_1237.exe to connect to the network:
IP address: 125.91.104.177 Port is: 80
IP address: 59.45.180.5 Port is: 37
IP address: 221.238.249.18 �
Regarding the pop-up free song, point to the URL: /ivr/all/?uid=2722
Solution:
1. Run ICESWORD---Setting---Prohibit thread creation---Forced uninstallation that is inserted into the process and process. C:\WINDOWS\system32\
Attached sreng log:
Code:
[PID: 4916][C:\WINDOWS\]
[C:\WINDOWS\system32\]
[PID: 1508][C:\Program Files\Internet Explorer\]
[C:\WINDOWS\system32\]
2. Use ICESWORD---file----delete:
%SYSTEMroot%\
%SYSTEMroot%\ge_1237.exe
Delete the non-system drive letter
X:\
X:\
X:\
Notes:
When using ICESWORD to delete X:\ under non-system drive letters, the desktop process will be automatically aborted. After the deletion is completed, the thread creation will be disabled. Use: ctrl+ait+del to call out the task manager, select the file-create a new task-to-return the desktop process:
MD5 216a3783443fc9c46fe4d32aa13c390f
After running the virus sample, automatically copy the copy to the %SYSTEMroot% directory.
%SYSTEMroot%\
%SYSTEMroot%\ge_1237.exe
X:\
X:\
X:\
X refers to non-system drive letter
%systemroot% is an environment variable,
Contents inside:
[autorun]
open=.\
shell\1=Open
shell\1\Command=.\
shell\2\=Browser
shell\2\Command=.\
shellexecute=.\
[autorun]
open=.\
shell\1=Open
shell\1\Command=.\
shell\2\=Browser
shell\2\Command=.\
shellexecute=.\
Run IE, %SYSTEMroot%\ge_1237.exe to connect to the network:
IP address: 125.91.104.177 Port is: 80
IP address: 59.45.180.5 Port is: 37
IP address: 221.238.249.18 �
Regarding the pop-up free song, point to the URL: /ivr/all/?uid=2722
Solution:
1. Run ICESWORD---Setting---Prohibit thread creation---Forced uninstallation that is inserted into the process and process. C:\WINDOWS\system32\
Attached sreng log:
Code:
[PID: 4916][C:\WINDOWS\]
[C:\WINDOWS\system32\]
[PID: 1508][C:\Program Files\Internet Explorer\]
[C:\WINDOWS\system32\]
2. Use ICESWORD---file----delete:
%SYSTEMroot%\
%SYSTEMroot%\ge_1237.exe
Delete the non-system drive letter
X:\
X:\
X:\
Notes:
When using ICESWORD to delete X:\ under non-system drive letters, the desktop process will be automatically aborted. After the deletion is completed, the thread creation will be disabled. Use: ctrl+ait+del to call out the task manager, select the file-create a new task-to-return the desktop process: