The virus generates the following files:
Code:
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
Create and detect whether the attributes are hidden under each partition and are constantly checked whether they are hidden
Register the service AnHao_VIP_CAHW point to C:\WINDOWS\system32\ to achieve the purpose of booting up.
Startup type: Automatic
Display name: A GooD DownLoad CAHW
Call the TerminateProcess function to close the following process
Code:
Call GetWindowsTextA function to get the current window title and call PostMessageA function to try to send the WM_CLOSE, WM_DESTROY, WM_QUIT instructions to close the window with the following words
Quote:
Kaka
Jiang Min
Kingsoft
task manager
* Scavenger
* star
Super Patrol
NOD32 Core
Safety
Safety Guard
* killer
NOD32
Kernel
OD
Micro dots
Call the FindWindowA function to find the following window and try to call the PostMessageA function to send the WM_CLOSE instruction to it Close the window
Quote:
AVP.Product_Notification
AVP.Product_Noti
Call and execute the net stop sharedaccess command to close the Windows-owned firewall service
C:\WINDOWS\system32\Insert process
Use the execution of the * to download the *
Code:
Download http://218.61.18.*/
http://218.61.18.*/
http://218.61.18.*/
(IP address is Liaoning Dalian Netcom)
Go to C:\Documents and Settings and name them ~ respectively, with a download interval of 200ms
The http://218.61.18.*/() link has expired in the test
For an infected downloader
Download http://rr.*.cn/~http://rr.*.cn/, but the download link has expired
Infect the exe file under the following folders
Quote:
WINDOWS
WINNT
RECYCLE
System Volume Information
Internet Explorer
Outlook Express
NetMeeting
Common Files
Messenger
Windows Media Player
WinRAR
MSOCache
Documents and Settings
The infected file is added with 593 bytes. The chart remains unchanged. The infection method needs to be given by experts...
Registration Service WindowsRemote
Startup type: Automatic
Display name: Windows Accounts Driver
It's also a * downloader, but the download link is invalid
After all the viruses are done, the sreng log is as follows:
Serve
Code:
[A GooD DownLoad CAHW / AnHao_VIP_CAHW][Running/Auto Start]
[Windows Accounts Driver / WindowsRemote][Stopped/Auto Start]
==================================
[C:\]
[autorun]
OPEN=
shellexecute=
shell\Auto\command=
shell=open
[D:\]
[autorun]
OPEN=
shellexecute=
shell\Auto\command=
shell=open
...
Manual solution:
Download sreng, open and unzip and run
"Start Project" - "Services" - "Win32 Service Application" click "Hide Certified Microsoft Project",
Select the following items, click "Delete Service", then click "Settings", and click "No" in the pop-up box:
Code:
A GooD DownLoad CAHW / AnHao_VIP_CAHW
Windows Accounts Driver / WindowsRemote
Restart the computer
Double-click My Computer, Tools, Folder Options, view, click to select "Show Hide Files or Folders" and clear the hook in front of "Hide Protected Operating System Files (Recommended)". In the prompt
When confirming the change, click Yes and OK
Click the folder button at the bottom of the menu bar (search the button on the right)
Code:
C:\WINDOWS\system32\
C:\WINDOWS\system32\
C:\WINDOWS\system32\
Create and detect whether the attributes are hidden under each partition and are constantly checked whether they are hidden
Register the service AnHao_VIP_CAHW point to C:\WINDOWS\system32\ to achieve the purpose of booting up.
Startup type: Automatic
Display name: A GooD DownLoad CAHW
Call the TerminateProcess function to close the following process
Code:
Call GetWindowsTextA function to get the current window title and call PostMessageA function to try to send the WM_CLOSE, WM_DESTROY, WM_QUIT instructions to close the window with the following words
Quote:
Kaka
Jiang Min
Kingsoft
task manager
* Scavenger
* star
Super Patrol
NOD32 Core
Safety
Safety Guard
* killer
NOD32
Kernel
OD
Micro dots
Call the FindWindowA function to find the following window and try to call the PostMessageA function to send the WM_CLOSE instruction to it Close the window
Quote:
AVP.Product_Notification
AVP.Product_Noti
Call and execute the net stop sharedaccess command to close the Windows-owned firewall service
C:\WINDOWS\system32\Insert process
Use the execution of the * to download the *
Code:
Download http://218.61.18.*/
http://218.61.18.*/
http://218.61.18.*/
(IP address is Liaoning Dalian Netcom)
Go to C:\Documents and Settings and name them ~ respectively, with a download interval of 200ms
The http://218.61.18.*/() link has expired in the test
For an infected downloader
Download http://rr.*.cn/~http://rr.*.cn/, but the download link has expired
Infect the exe file under the following folders
Quote:
WINDOWS
WINNT
RECYCLE
System Volume Information
Internet Explorer
Outlook Express
NetMeeting
Common Files
Messenger
Windows Media Player
WinRAR
MSOCache
Documents and Settings
The infected file is added with 593 bytes. The chart remains unchanged. The infection method needs to be given by experts...
Registration Service WindowsRemote
Startup type: Automatic
Display name: Windows Accounts Driver
It's also a * downloader, but the download link is invalid
After all the viruses are done, the sreng log is as follows:
Serve
Code:
[A GooD DownLoad CAHW / AnHao_VIP_CAHW][Running/Auto Start]
[Windows Accounts Driver / WindowsRemote][Stopped/Auto Start]
==================================
[C:\]
[autorun]
OPEN=
shellexecute=
shell\Auto\command=
shell=open
[D:\]
[autorun]
OPEN=
shellexecute=
shell\Auto\command=
shell=open
...
Manual solution:
Download sreng, open and unzip and run
"Start Project" - "Services" - "Win32 Service Application" click "Hide Certified Microsoft Project",
Select the following items, click "Delete Service", then click "Settings", and click "No" in the pop-up box:
Code:
A GooD DownLoad CAHW / AnHao_VIP_CAHW
Windows Accounts Driver / WindowsRemote
Restart the computer
Double-click My Computer, Tools, Folder Options, view, click to select "Show Hide Files or Folders" and clear the hook in front of "Hide Protected Operating System Files (Recommended)". In the prompt
When confirming the change, click Yes and OK
Click the folder button at the bottom of the menu bar (search the button on the right)