Main behavior:
1. Release the file:
C:\Windows\System32\
671,744 bytes
C:\Windows\Tasks\
346 bytes
2. Add startup item:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The key name is: Yahoo Messengger, pointing to.
3. Modify the registry and start with Explorer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = " "
4. Disable the registry and task manager:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = 0x00000001
DisableRegistryTools = 0x00000001
5. Connect to the network and download messy things (unimplemented):
hxxp://nhatquanglan2./
hxxp://nhatquanglan2./
hxxp:///nhattruongquang/
hxxp:///nhattruongquang/
6. Add a planned task:
C:\Windows\Tasks\
346 bytes ~~
Solution:
1. Download Sreng. Disconnect the network afterwards.
2. Open Sreng and it will prompt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The item is maliciously modified and will be automatically repaired after clicking OK.
3. Delete Yahoo Messengger and point to ((Detailed steps: Open SREng - Start Project - Registration)).
4. Restart the computer and delete the file:
C:\Windows\System32\
C:\Windows\Tasks\