The National Computer Virus Emergency Response Center discovered the "Aini" compound virus through monitoring the Internet. The virus is transmitted through vulnerabilities in Microsoft's Windows system ANI (dynamic cursor) file processing, infection of normal executable files and local web files, sending emails, and infecting USB flash drives and mobile storage media. The virus has strong self-propagation ability. And after being infected with the virus, the * program will be automatically downloaded and run, causing great harm.
The worm has appeared many variants, which spread rapidly in a short period of time after its appearance, making it difficult for infected users to completely remove them, causing many inconveniences to their work.
The worm situation is analyzed as follows:
Virus name: Worm_MyInfect.af
Chinese name: "Ani"
Other names: I-Worm/AniLoad (Jiang Min)
(Kinsoft)
(Rising)
Virus type: Complex type
Infected system: Windows 9X/ Windows ME/ Windows NT/ Windows 2000/Windows XP/ Windows 2003/ Windows Vista
Virus characteristics:
1. Generate virus files
After the virus runs, copy itself to the following directory: %SysDir%
2. Modify the registry keys
HKCUSoftwareMicrosoftWindowsCurrentVersionRun"System Boot Check"="%SysDir%" In this way, the virus can be automatically run with the Windows system startup.
3. Infect the files in the system
It can infect executables and script files in local disks and network shared directories.
1) Infect executable file
Fuse the infected file and the virus into one file (the infected file is posted at the end of the virus file) to complete the infection.
2) Script file
Add the following notes to the end of these script files to download the script file, which contains the following code:
The above two image links exploit ANI vulnerabilities. The image file contains overflow attack code, so you will be poisoned when opening the above web page.
4. Download the specified URL file
Download * and virus upgrade programs from the specified URL.
5. Disseminate by email
Viral email characteristics are as follows:
From: i_love_cq@
Topic: Who did you videotape with? I'm so laughing to death!
text:
Look at your little example! I think you are famous!
Look at this address! Your face was so clearly slapped! You have become a star! http://****./***/If the user clicks on the above page with the virus, he will be infected.
6. Others
Iterate through all drives of a-z, and if the drive is "removable storage", it is created on that drive to achieve the purpose of propagating itself. Detect the floppy drive, if it exists, copy the virus file to which the file name is and generate the file so that the virus can run automatically to spread itself. Modify hosts file and block multiple URLs. Most of these websites are sites that were previously used to spread other viruses.
Solution:
1. For computer users who are not infected, Microsoft's latest operating system patch (KB925902) should be installed as soon as possible, and the antivirus software in the system should be upgraded in a timely manner, and the "real-time monitoring" function of the antivirus software should be turned on.
2. For computer users who have been infected with the variant, it is recommended to download the special killing tool as soon as possible to detect and repair it. And install Microsoft's latest operating system patch (KB925902).
Special killer tool download link address:
/jmsoft/ (Jiangmin Company)
Download address of Microsoft's related patches:
/technet/security/bulletin/
Safety advice:
1. Computer users of LANs should try to avoid creating writable shared directories. Those who have created shared directories should stop sharing immediately.
2. If not necessary, Windows 2000/XP users should try to turn off IPC$ sharing and set complex passwords for accounts with administrator privileges.
3. Install Microsoft's security updates in a timely manner and do not access websites of unknown origin at will.
4. Install antivirus software on the computer system and upgrade the virus definition library in a timely manner.
5. When computer users use USB flash drives and other mobile devices to exchange files, be sure to enable the "real-time monitoring" function of the antivirus software, or scan with antivirus software first and turn off the automatic playback function.
6. Users should use the "autoplay" function provided by the operating system by default to prevent infection during the use of mobile storage media. Users can turn off the function as follows under Super User permissions:
Windows XP users:
"Start" -> "Run" -> Enter "" to confirm and open "Group Policy";
Open: "Computer Configuration" -> "Administrative Templates" -> Click the "System" item;
There is an "Off AutoPlay" in the settings on the right, and double-click to open its properties;
Select "Enabled" to select all drives in the properties box and click "OK";
Similarly, open again: "User Configuration" -> "Administrative Templates" -> Click the "System" item;
There is an "Off Automatic Play" in the settings on the right, and double-click to open the properties;
Select "Enabled" to select all drives in the properties box and click "OK";
Turn off automatic playback.
Note: The method of opening "Group Policy" by Windows 2000 users is: "Start" -> "Run" ->
Enter "mmc" -> Click OK to open the console, select "Add/Remove snap-in" in the "Console" menu, click "Add", and select "Group Policy" -> Add;
The worm has appeared many variants, which spread rapidly in a short period of time after its appearance, making it difficult for infected users to completely remove them, causing many inconveniences to their work.
The worm situation is analyzed as follows:
Virus name: Worm_MyInfect.af
Chinese name: "Ani"
Other names: I-Worm/AniLoad (Jiang Min)
(Kinsoft)
(Rising)
Virus type: Complex type
Infected system: Windows 9X/ Windows ME/ Windows NT/ Windows 2000/Windows XP/ Windows 2003/ Windows Vista
Virus characteristics:
1. Generate virus files
After the virus runs, copy itself to the following directory: %SysDir%
2. Modify the registry keys
HKCUSoftwareMicrosoftWindowsCurrentVersionRun"System Boot Check"="%SysDir%" In this way, the virus can be automatically run with the Windows system startup.
3. Infect the files in the system
It can infect executables and script files in local disks and network shared directories.
1) Infect executable file
Fuse the infected file and the virus into one file (the infected file is posted at the end of the virus file) to complete the infection.
2) Script file
Add the following notes to the end of these script files to download the script file, which contains the following code:
The above two image links exploit ANI vulnerabilities. The image file contains overflow attack code, so you will be poisoned when opening the above web page.
4. Download the specified URL file
Download * and virus upgrade programs from the specified URL.
5. Disseminate by email
Viral email characteristics are as follows:
From: i_love_cq@
Topic: Who did you videotape with? I'm so laughing to death!
text:
Look at your little example! I think you are famous!
Look at this address! Your face was so clearly slapped! You have become a star! http://****./***/If the user clicks on the above page with the virus, he will be infected.
6. Others
Iterate through all drives of a-z, and if the drive is "removable storage", it is created on that drive to achieve the purpose of propagating itself. Detect the floppy drive, if it exists, copy the virus file to which the file name is and generate the file so that the virus can run automatically to spread itself. Modify hosts file and block multiple URLs. Most of these websites are sites that were previously used to spread other viruses.
Solution:
1. For computer users who are not infected, Microsoft's latest operating system patch (KB925902) should be installed as soon as possible, and the antivirus software in the system should be upgraded in a timely manner, and the "real-time monitoring" function of the antivirus software should be turned on.
2. For computer users who have been infected with the variant, it is recommended to download the special killing tool as soon as possible to detect and repair it. And install Microsoft's latest operating system patch (KB925902).
Special killer tool download link address:
/jmsoft/ (Jiangmin Company)
Download address of Microsoft's related patches:
/technet/security/bulletin/
Safety advice:
1. Computer users of LANs should try to avoid creating writable shared directories. Those who have created shared directories should stop sharing immediately.
2. If not necessary, Windows 2000/XP users should try to turn off IPC$ sharing and set complex passwords for accounts with administrator privileges.
3. Install Microsoft's security updates in a timely manner and do not access websites of unknown origin at will.
4. Install antivirus software on the computer system and upgrade the virus definition library in a timely manner.
5. When computer users use USB flash drives and other mobile devices to exchange files, be sure to enable the "real-time monitoring" function of the antivirus software, or scan with antivirus software first and turn off the automatic playback function.
6. Users should use the "autoplay" function provided by the operating system by default to prevent infection during the use of mobile storage media. Users can turn off the function as follows under Super User permissions:
Windows XP users:
"Start" -> "Run" -> Enter "" to confirm and open "Group Policy";
Open: "Computer Configuration" -> "Administrative Templates" -> Click the "System" item;
There is an "Off AutoPlay" in the settings on the right, and double-click to open its properties;
Select "Enabled" to select all drives in the properties box and click "OK";
Similarly, open again: "User Configuration" -> "Administrative Templates" -> Click the "System" item;
There is an "Off Automatic Play" in the settings on the right, and double-click to open the properties;
Select "Enabled" to select all drives in the properties box and click "OK";
Turn off automatic playback.
Note: The method of opening "Group Policy" by Windows 2000 users is: "Start" -> "Run" ->
Enter "mmc" -> Click OK to open the console, select "Add/Remove snap-in" in the "Console" menu, click "Add", and select "Group Policy" -> Add;