On December 29, 2004, the Jiangmin Anti-Virus Center took the lead in intercepting the first "invisible virus" Backdoor/ and named it "Invisible Thieves". After the virus runs, it is inserted into the system process threadably and immediately deletes its own virus body to avoid the detection and killing of anti-virus software. The virus also uses technical means such as hooks and port mapping, so that the user's computer is remotely controlled by the hacker without any asymptomatic conditions.
After the virus is successfully infected, the backdoor will be bound to TCP port 138 and listen to hacker instructions, which can complete remote shutdown of the user's computer, end user processes, download user files, etc. "Invisible Thieves" will also create a global hook to monitor users' shutdown, restart and other operations to recreate the virus file and startup items before the system is shut down, so that the virus can run automatically the next time it is powered on.
Due to the "invisible" nature of the system process being inserted after the Invisible Thieves has deleted the virus after running, the "invisible" feature has increased the difficulty of anti-virus software to detect and kill the virus. But the invisible thief is not unbearable. Jiangmin anti-virus experts recently gave users three moves to reduce the "thief" that can reveal the true shape of the invisible thief and cut off the "black hand" stretched out by the invisible thief.
1. Kill it before it happens. Timely upgrade the KV2005 antivirus software to December 29th virus database, and open real-time monitoring of all viruses (especially file monitoring) so as to kill the main body of the virus file as soon as possible.
2. Block TCP138 port. Since the virus binds the backdoor to TCP port 138 and listens to hacker instructions to attempt to steal private files of infected machines, as long as the port is closed, the harm of the virus can be minimized. (You can use some firewall software to block the TCP138 port, or use the TCP/IP filtering function provided by the operating system above WIN2000. Ordinary individual users can choose to use only port 80)
3. Power off and shut down. If you are suspected of being infected with the "Invisible Thieves", you must shut down or restart the system normally, because these operations are among the virus monitoring. After the virus monitors these operation instructions, the virus file and startup items will be recreated before the system is shut down, so that the virus will automatically run when the next time it is turned on. By immediately shutting down the power and shutting down the machine, the "Invisible Thieves" virus loses the opportunity to rewrite files.
After the virus is successfully infected, the backdoor will be bound to TCP port 138 and listen to hacker instructions, which can complete remote shutdown of the user's computer, end user processes, download user files, etc. "Invisible Thieves" will also create a global hook to monitor users' shutdown, restart and other operations to recreate the virus file and startup items before the system is shut down, so that the virus can run automatically the next time it is powered on.
Due to the "invisible" nature of the system process being inserted after the Invisible Thieves has deleted the virus after running, the "invisible" feature has increased the difficulty of anti-virus software to detect and kill the virus. But the invisible thief is not unbearable. Jiangmin anti-virus experts recently gave users three moves to reduce the "thief" that can reveal the true shape of the invisible thief and cut off the "black hand" stretched out by the invisible thief.
1. Kill it before it happens. Timely upgrade the KV2005 antivirus software to December 29th virus database, and open real-time monitoring of all viruses (especially file monitoring) so as to kill the main body of the virus file as soon as possible.
2. Block TCP138 port. Since the virus binds the backdoor to TCP port 138 and listens to hacker instructions to attempt to steal private files of infected machines, as long as the port is closed, the harm of the virus can be minimized. (You can use some firewall software to block the TCP138 port, or use the TCP/IP filtering function provided by the operating system above WIN2000. Ordinary individual users can choose to use only port 80)
3. Power off and shut down. If you are suspected of being infected with the "Invisible Thieves", you must shut down or restart the system normally, because these operations are among the virus monitoring. After the virus monitors these operation instructions, the virus file and startup items will be recreated before the system is shut down, so that the virus will automatically run when the next time it is turned on. By immediately shutting down the power and shutting down the machine, the "Invisible Thieves" virus loses the opportunity to rewrite files.