This virus is the latest variant of the previous dream lover (code) virus
1. After the virus is running, release the following files or copies
%systemroot%\system32\config\systemprofile\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
Release and
2. Get the path by looking for the key value of software\Microsoft\Windows\CurrentVersion\App Paths\, and then call IE to connect http://www.3940*.cn/ for infection statistics
3. Improve your own permissions and close the following processes
Close the handle of the following process
4. Start a process, inject it in, and call it for download operation
Download http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/~http://www.*/muma935474/
http://www.*/
http://www.*/
http://www.*/
http://www.*/
Go to C:\Documents and Settings\Name as ~ ~ ~ ~ ~ ~
Download interval 2000ms
But the download link has almost all failed, and the viruses downloaded are all pigeons
5. Close the window with the following words
Firewall
Anti-virus
Jiang Min
Kingsoft
*
Super Patrol
NOD32
Safety
Main thread
Micro dots
6. Add image hijacking project to hijack certain antivirus software, security tools and some popular viruses point to %systemroot%\system32\
KVMonXP_1.kxp
7. Destroy the display of hidden files
The value of HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden is modified to 0x00000002
The sreng log after the * virus is implanted is as follows:
Start the project
Registration form
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
<IFEO[]><C:\WINDOWS\system32\> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
<IFEO[]><C:\WINDOWS\system32\> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
<IFEO[]><C:\WINDOWS\system32\> [Microsoft Corporation]...
==================================
Serve
[windows / windows][Running/Disabled]
<C:\WINDOWS\><N/A>
Solution:
Download srengIcesword: can be downloaded from down.
1. Unzip Icesword, change Icesword name and run
Click the file button in the lower left corner
Delete the following file %systemroot%\system32\config\systemprofile\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\
and the sum under each partition
2. Open sreng
Start the project Registration form
Remove all red IFEO projects
System Repair – Windows Shell/IE Select All Repair
1. After the virus is running, release the following files or copies
%systemroot%\system32\config\systemprofile\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
Release and
2. Get the path by looking for the key value of software\Microsoft\Windows\CurrentVersion\App Paths\, and then call IE to connect http://www.3940*.cn/ for infection statistics
3. Improve your own permissions and close the following processes
Close the handle of the following process
4. Start a process, inject it in, and call it for download operation
Download http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/
http://www.*/muma935474/~http://www.*/muma935474/
http://www.*/
http://www.*/
http://www.*/
http://www.*/
Go to C:\Documents and Settings\Name as ~ ~ ~ ~ ~ ~
Download interval 2000ms
But the download link has almost all failed, and the viruses downloaded are all pigeons
5. Close the window with the following words
Firewall
Anti-virus
Jiang Min
Kingsoft
*
Super Patrol
NOD32
Safety
Main thread
Micro dots
6. Add image hijacking project to hijack certain antivirus software, security tools and some popular viruses point to %systemroot%\system32\
KVMonXP_1.kxp
7. Destroy the display of hidden files
The value of HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden is modified to 0x00000002
The sreng log after the * virus is implanted is as follows:
Start the project
Registration form
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
<IFEO[]><C:\WINDOWS\system32\> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
<IFEO[]><C:\WINDOWS\system32\> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
<IFEO[]><C:\WINDOWS\system32\> [Microsoft Corporation]...
==================================
Serve
[windows / windows][Running/Disabled]
<C:\WINDOWS\><N/A>
Solution:
Download srengIcesword: can be downloaded from down.
1. Unzip Icesword, change Icesword name and run
Click the file button in the lower left corner
Delete the following file %systemroot%\system32\config\systemprofile\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\system32\
%systemroot%\
and the sum under each partition
2. Open sreng
Start the project Registration form
Remove all red IFEO projects
System Repair – Windows Shell/IE Select All Repair