AV naming:
Kingsoft Antivirus (.412826)
AVG()
Dr. An V3 (Win-*/)
Box method: Not
Writing language: Delphi
File MD5: a79d8dddadc172915a3603700f00df8c
Virus type: remote control
Behavioral Analysis:
1. Release virus files:
C:\WINDOWS\ 361984 Bytes
C:\WINDOWS\ 412829 Bytes
2. Modify the registry and start the computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(registry value) Userinit
REG_SZ, "C:\WINDOWS\system32\,"
Modify to REG_SZ, "C:\windows\system32\,C:\windows\ –ini
3. Start the IE process and inject it into it.
4. Add registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
(registry value) Beizhu = REG_SZ, "Online"
(registry value) Info = REG_SZ, "http://www.5311×/vip/6880579/>46821973>Online>Remote online host>25>0>1080>guest>123456>"
5. Read the above registry key, bounce back and connect to the outside, and accept hacker control.
6. After all is released, call to delete the old file.
Solution:
1. Open the task manager, end the visible IE process (), and then disconnect the network.
2. Start-Run-Open the registry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(registry value) Userinit
Click to modify, and modify it to: C:\WINDOWS\system32\,
Note that commas cannot be omitted. If it is a 2000/NT system, it is: C:\WINnt\system32\,
3. Delete the file:
C:\WINDOWS\ 361984 Bytes
C:\WINDOWS\ 412829 Bytes
Kingsoft Antivirus (.412826)
AVG()
Dr. An V3 (Win-*/)
Box method: Not
Writing language: Delphi
File MD5: a79d8dddadc172915a3603700f00df8c
Virus type: remote control
Behavioral Analysis:
1. Release virus files:
C:\WINDOWS\ 361984 Bytes
C:\WINDOWS\ 412829 Bytes
2. Modify the registry and start the computer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(registry value) Userinit
REG_SZ, "C:\WINDOWS\system32\,"
Modify to REG_SZ, "C:\windows\system32\,C:\windows\ –ini
3. Start the IE process and inject it into it.
4. Add registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
(registry value) Beizhu = REG_SZ, "Online"
(registry value) Info = REG_SZ, "http://www.5311×/vip/6880579/>46821973>Online>Remote online host>25>0>1080>guest>123456>"
5. Read the above registry key, bounce back and connect to the outside, and accept hacker control.
6. After all is released, call to delete the old file.
Solution:
1. Open the task manager, end the visible IE process (), and then disconnect the network.
2. Start-Run-Open the registry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
(registry value) Userinit
Click to modify, and modify it to: C:\WINDOWS\system32\,
Note that commas cannot be omitted. If it is a 2000/NT system, it is: C:\WINnt\system32\,
3. Delete the file:
C:\WINDOWS\ 361984 Bytes
C:\WINDOWS\ 412829 Bytes