This is a * group that uses ANI vulnerabilities to spread. Its "dynamic insertion process" function is one of the reasons for the difficulty in anti-virus after being hit.
Also: After being infected, all .exe outside the system partition will be infected. This is also the trouble after being infected with this poison.
"Symptoms" after being infected: The process is visible in the process list.
Suggestion: Use SRENG to scan the log to save it to clarify the basic situation and facilitate the manual anti-virus operation later.
The manual detection and killing process is as follows (operate with IceSword):
1. Prohibit process creation.
2. According to the SRENG log, first end the virus process and all processes inserted by the virus module (which processes are inserted by the virus depends on the program you are running at that time. The following is an example after I ran this sample.)
Code:
[PID: 484][C:\windows\] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\windows\system32\] [N/A, N/A]
[PID: 2252][C:\Program Files\Tiny Firewall Pro\] [Computer Associates International, Inc., 6.5.3.2]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[PID: 3880][C:\WINDOWS\system32\shadow\] [PowerShadow, 1, 0, 0, 1]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[PID: 2760][C:\Program Files\SREng2\] [Smallfrogs Studio, 2.3.13.690]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[PID: 2548][C:\windows\] [N/A, N/A]
3. Delete virus files; clear IE temporary folder.
4. Delete the virus startup item
Consider a special case:
If someone puts tools such as autoruns outside the system partition, it is a big trouble to run autoruns at this time! ! ———After getting infected with this poison, all .exe outside the system partition will be infected.
5. Cancel the "Prohibit process creation" of IceSword.
6. Repair the hosts file.
Note: Those .exe infected by viruses outside the system partition - probably are out of rescue.
Also: After being infected, all .exe outside the system partition will be infected. This is also the trouble after being infected with this poison.
"Symptoms" after being infected: The process is visible in the process list.
Suggestion: Use SRENG to scan the log to save it to clarify the basic situation and facilitate the manual anti-virus operation later.
The manual detection and killing process is as follows (operate with IceSword):
1. Prohibit process creation.
2. According to the SRENG log, first end the virus process and all processes inserted by the virus module (which processes are inserted by the virus depends on the program you are running at that time. The following is an example after I ran this sample.)
Code:
[PID: 484][C:\windows\] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\windows\system32\] [N/A, N/A]
[PID: 2252][C:\Program Files\Tiny Firewall Pro\] [Computer Associates International, Inc., 6.5.3.2]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[PID: 3880][C:\WINDOWS\system32\shadow\] [PowerShadow, 1, 0, 0, 1]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[PID: 2760][C:\Program Files\SREng2\] [Smallfrogs Studio, 2.3.13.690]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[C:\DOCUME~1\baohelin\LOCALS~1\Temp\] [N/A, N/A]
[PID: 2548][C:\windows\] [N/A, N/A]
3. Delete virus files; clear IE temporary folder.
4. Delete the virus startup item
Consider a special case:
If someone puts tools such as autoruns outside the system partition, it is a big trouble to run autoruns at this time! ! ———After getting infected with this poison, all .exe outside the system partition will be infected.
5. Cancel the "Prohibit process creation" of IceSword.
6. Repair the hosts file.
Note: Those .exe infected by viruses outside the system partition - probably are out of rescue.