Recently, a friend in the Windows7 system to start a network share, can not be enabled to enable shared access, System prompts error 1061, that is, the service can not accept control information at this time, what is going on? What should we do? In fact, the main reason for this problem is the system in the worm caused by the harm, Take a look at the details below.
Analysis Reason:
Virus name: Worm virus win32.luder.i
Other Name: W32/dref-u (Sophos), win32/luder.i! Worm, W32. Mixor.q@mm (Symantec), W32/nuwar@mm (McAfee), W32/tibs.ra (F-secure), Trojan-downloader.win32.tibs.jy (Kaspersky)
Virus properties: Worm
Harmfulness: Moderate Hazard
Epidemic degree: High
Specific introduction:
Virus characteristics:
WIN32/LUDER.I is a worm transmitted by mail and transmitted in PE files and RAR files. In addition, it will generate a trojan to download and run other malicious programs. It is a 17,559-byte Win32 that can run programs.
Infection Mode:
At run time, Win32/luder.i is copied to%system%ppl.exe and the file properties are set to hidden. Then, modify the following registry key to ensure that this copy is run every time the system starts: hklmsoftwaremicrosoft windowscurrentversionrunagent = "%system%ppl.exe ... "Hkcusoftwaremicrosoftwindowscurrentversionrun Agent ="%system%ppl.exe ... ”
Note: '%system% ' is a variable path. The virus determines the location of the current system folder by querying the operating system. Windows c:winntsystem32 and NT default system installation path is A; 95,98 and ME are c:windowssystem; XP is the c:windowssystem32.
Luder also generates and runs a file of any name that detects the Win32/sinteri!downloader Trojan virus. The worm also generates a "KKK33EWRRT" mutex to ensure that only one copy runs at a time.
Mode of transmission:
Send a virus by getting mail addresses from the local system via the mail propagation worm. It looks up the mailing address in Windows Addressing book with the following registry key value: Hkcusoftwaremicrosoftwabwab4wab file name then, search for files with the following extensions on the ' Z: ' to ' C: ' Drive:
rar
Scr
Exe
Htm
Txt
Ht
A worm performs DNS MX (mail exchanger) queries to find the appropriate mail server for each domain to send a virus. It uses the default DNS server that is configured locally to execute these queries.
Luder.i tries to send a message to each mail address it collects. The worm sends messages with the following characteristics:
Send address:
The worm uses an arbitrary name (selected from a list of worms) with an arbitrary number, combined with a domain name that accepts a target, generating a forged inbox address, for example: Clarissa26@domain.com.
The theme may be: Happy New year!
Accessory Name: Postcard.exe
Infected-pe file by file luder.i each time a file with an "EXE" or "SCR" extension is found, the random name. t file name is used to copy the virus to the directory where the file is located and set as a hidden file.
Note: The random name is made up of 8 lowercase letters. For example: "vrstmkgk.t".
LUDER.I Check the file's PE header to see if there is enough room to run and insert a code in the middle. In addition, it will not infect a DLL or executable file that has already been infected. If it is run, it first runs the relevant "random name". T. Luder.i writes 666 as a token in the timestamp of the infected file's PE header to avoid infecting the same file again.
Note: the generated random name. t file will not be modified by luder.i even if it does not meet all the conditions of infection.
Infecting-rar files with files
LUDER.I add "random filename". exe to each found RAR document, here the "random filename" is 7 letters and numbers, such as "DnoCV18.exe." The document may be infected multiple times every time the luder.i runs.
Harm:
Download and run any file luder.i generate a file to download other malicious programs to the infected machine. The downloaded files include other variants of Win32/sinteri, Win32/sinray, Win32/sinhar, and Win32/luder.
Terminate process
Every 4 seconds, if Registry Editor (Regedit.exe) and other processes in the name that contain the following strings (shown in Windows Title Bar) are running, LUDER.I attempts to terminate the Registry Editor and these processes: anti
Viru
Troja
Avp
Nav
Rav
Reged
nod32
Spybot
Zonea
Vsmon
Avg
BlackICE
Firewall
Msconfig
Lockdown
F-pro
Hijack
Taskmgr
Mcafee
Modify system settings
LUDER.I Modify the following registry key values to make Windows firewall/internet Connection sharing (ICS) (also known as "Internet Connection Firewall (ICF)"/ Internet Connection Sharing (ICS) service Expires: Hklmsystemcurrentcontrolsetservicessharedaccessstart = 4
Clear:
The kill Anguang a InoculateIT 23.73.102,vet version 30.3.3288 detects/clears the virus.
Kill version:
How to fix the error:
Enter the registry to find the following key value changed to 4 to repair the problem of Internet sharing. Windows Registry Editor Version 5.00[hkey_local_machinesystemcurrentcontrolsetservices sharedaccess] "Start" =dword:0 0000004
Many friends in the Windows7 system to enable network share access to the system prompted error 1061 problem, which is mainly caused by the virus attacks, the user only master the nature of the virus, harm, in order to further clear the virus, solve the problem.