Eni ani worm Solution

Recently, a worm for the ANI vulnerability is very active (now the National Computer Virus Emergency treatment center has been uniformly named "Eni"). For a time, the media rushed to report, many users are also in the recruit, but we are very confused, do not know how to deal with the virus after the infection?

Although there are many articles on the internet about the virus, most of them stay in the introduction of the virus phase, even if the solution is only a few simple words, for those infected with the virus is only a drop in the bucket.

Jinshan Poison PA Anti-Virus engineer Li Tiejun in his blog detailed description of the virus prevention and solutions, I hope to be able to have infected the virus to help users!

The following is a detailed description of the "Eni" (ANI) worm

Virus name: Eni (alias, Maying, Ani worm)

English Name: Myinfect.af/dlonlinegames/trojan-downloader.win32.agent.bky

Technical analysis

1, release the virus files to the following path:

%system%\sysload3.exe

2, modify the registry, add the following key values:

Hkcu\software\microsoft\windows\currentversion\run

"System Boot Check" = "C:\WINDOWS\system32\sysload3.exe"

3, from the IE process, inject virus code, connect the network to download a large number of viruses, trojan programs, when the new version of the virus, will download updates.

4, send the message spread itself:

Topic: Who did you and who filmed it in the video? I'll give you a laugh!

Content: Look at your sample! I think you are famous!

You see this address! Your face is so clear! You've become a star!

5. Notepad process, convenient local disk, network share directory, infection size in 10K---10M between the. exe file, infected with extension. ASP,. JSP, PHP, HTM, ASPX, HTML script files, so that the virus is difficult to detect.

6, modify the host file, shielding access to certain websites

7, detect the floppy disk, if there is a copy of the virus file to the file name Tool.exe, and generate Autorun.inf files, so that the virus can automatically run to spread itself.

This should be a virus-written bug, the current floppy drive has been basically eliminated, if you find the following balloon, you are likely to be in the "Love You" virus.

Cleanup steps

1. Because the use of ANI vulnerabilities Trojan and virus many, Eni virus variant is also a lot, and Eni is an infected worm, will infect the destruction EXE program and Web page format files, first recommended you use antivirus software killing.

2. Manual killing, first end Notepad.exe process and iexplore.exe process

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"System Boot Check" = "%system%\sysbmw.exe"

4. Delete the referenced virus file:

%system%\sysbmw.exe

%system%\sys_ini.ini

Protective measures:

1. Less unsafe sites, for through MSN,QQ, as well as email sent to the unknown link, do not click

2. Note that Microsoft released the vulnerability patch information, after the release, please download the installation of the first time

3. Upgrade antivirus software, the current Jinshan poison PA has been upgraded to provide for the ANI vulnerability itself and the Eni worm of the immune program, can effectively prevent Internet access by this type of virus infection.

Attachment: How to deal with the virus crisis caused by ANI loophole?

Last week, the Jinshan Antivirus center found that some websites use Windows animated cursor (ANI) file to spread Trojan horses, which are usually for the purpose of stealing numbers. Microsoft has not yet released a patch for this vulnerability, and the Internet has already appeared on the Web Trojan generator that exploited the vulnerability.

Soon, the first worm to use the vulnerability spread, Eni (WORM.MYINFECT.AF), the virus set the panda incense, gold and the two major features of the virus, is a highly disseminated and destructive worms, Not only can crazy infect the user's computer in the. exe file, but also download other Trojan and virus programs, the virus spread through the LAN may cause the network large area paralysis.

More seriously, the use of the Microsoft Animation Cursor (ANI) vulnerability spread, including the security of the painstaking Vista system is not spared, users can only browse the malicious code of the Web page or e-mail will immediately infect the virus. Jinshan anti-Virus Center has provided an emergency immunization program for the risk of the vulnerability. According to the latest statistics, only 1 days, the immune device successfully prevented more than 30,000 attacks occurred.