This article is transferred from: yunxing computer tutorial www.gonet8.comIn less than an hour after I started the system last night, I opened several small unknown websites. After a while, I found that I couldn't open any websites, and QQ could still run normally! At the same time, we found that only "set program access and default value and Windows Update" were left at the beginning. When we opened Kaspersky Antivirus software, we found that many functions could not be properly displayed, after Windows Task Manager is opened, it finds that the performance Column cannot be displayed. This is the first time we saw such a problem. We had to restart the computer and only force shutdown!
The results are disappointing. The shutdown will take one minute after the system starts up!
Prompt c: \ windows \ system32 \ services.exe is not available, code 0
Fortunately, ghost is backed up on the computer!
I found a question on the internet today and sorted it out as follows: Services.exe I installed win2000sp4 and backed up the ghost image after I upgraded the anti-virus software online. After the Internet connection, the computer crashes and the system automatically shuts down after the restart (60 seconds). The error code is C:/winnt/system32/services.exe. 128 is returned. I thought it was a virus infection caused by system vulnerabilities, so I used the ghost boot disk to restore the system. Then we can use the patch normally. We downloaded 2000 of the patches online. After a while, the above error occurs again. It will automatically shut down and I will use ghost to restore it. The same error occurs again after a while on the Internet. Viewing the registry is not like virus infection. It is useless to use anti-virus. Please help me. What should I do? Thank you. On September 16, August 15, Kingsoft anti-virus emergency response center intercepted a virus that actively attacked a severe Microsoft System Vulnerability and named it zotob (worm. zotob. ). Kingsoft's anti-virus expert said that the zotob virus was actively exploited to spread the vulnerability, which has a very high threat to personal computers. The damage level is similar to the shock wave Of The Year. Once attacked, your computer will be constantly restarted and the system is unstable. The virus author clamored to kill the virus. The antivirus software will be killed within 24 hours!
Zotob took advantage of a severe system vulnerability Microsoft just announced five days ago, Windows Plug and Play Service Vulnerability (MS05-039), attack TCP port 445, and shock wave, wave method is similar, the attack code sends the vulnerability code to port 445 of the target system, causing a buffer overflow in the target system. Meanwhile, the virus code is run to spread. Zotob is actually the latest variation of mytob. Mytob is a popular email virus. The variant, but also joined the vulnerability patch five days ago to announce the system severe vulnerabilities (Windows Plug and Play Service Vulnerabilities (MS05-039) to take the initiative to attack, this greatly improves the spread of viruses. Therefore, in addition to exploiting the vulnerabilities, zotob also has the dangers of email spreading, automatic download of new viruses, and so on, which can bring the virus users to the fore.
After the virus runs, the botzor.exe file will be created under the system directory. The size is 22528 bytes. Add the following startup items to the registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run] "Windows System" = botzor.exe; [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservice "Windows System" = botzor.exe
In this way, the virus can be automatically executed when Windows is started.
The "extremely fast wave" virus connects to the IRC server through TCP port 8080, and accepts and executes hacker commands. Attackers can completely control infected computers. Enable the FTP service on TCP port 33333 to download virus files. Spread with Microsoft plug-and-play Remote Code Execution Vulnerability (MS05-039. If the vulnerability uses the code to run successfully, the remote target computer downloads the virus program from the FTP service of the infected computer. If the hole Code does not run successfully, the remote computer that has not been supplemented can see the failure of the services.exe process.
The harm of the virus is that the virus will modify the % SystemDir % \ drivers \ etc \ hosts file to shield a large number of websites from foreign anti-virus and security vendors. And put forward public challenges to the anti-virus vendors: The first detected anti-virus software will be "killed" within 24 hours ". (MSG to AVS: The first AV who detect this worm will be the first killed in the next 24 hours !!!) Affected System:
Microsoft Windows XP SP2
Microsoft Windows XP SP1
Microsoft Windows Server 2003 SP1
Microsoft Windows Server 2003
Microsoft Windows 2000sp4
Microsoft Windows plug-and-play (PNP) allows the operating system to detect new hardware.
A buffer overflow vulnerability exists in the plug-and-play function of Microsoft Windows. attackers who successfully exploit this vulnerability can completely control the affected system.
The reason is that the PNP Service Processing package contains too many Malformed messages. On Windows 2000, anonymous users can exploit this vulnerability by sending specially crafted messages. on Windows XP Service Pack 1, Only Authenticated Users can send malicious messages; on Windows XP Service Pack 2 and Windows Server 2003, attackers must log on to the system locally and run special applications to exploit this vulnerability.
This code is very harmful. You can remotely obtain all the permissions of the computer. You only need to connect the computer to intelnet or LAN and create a zotob virus. Do not use this code for illegal activities!
Note that if no protection measures are taken, even if nothing is done, the virus will be the same as the shock wave!
Remind everyone to Upgrade anti-virus software and patch the system in time
This code is very harmful. You can remotely obtain all the permissions of the computer. You only need to connect the computer to intelnet or LAN and create a zotob virus. Do not use this code for illegal activities!
Note that if no protection measures are taken, even if nothing is done, the virus will be the same as the shock wave!
Pioneer reminds everyone to Upgrade anti-virus software and patch the system in time
Vendor patch:
Microsoft
Microsoft has released a Security Bulletin (MS05-039) and patches for this:
MS05-039: vulnerability in Plug and Play cocould allow remote code execution and Elevation of Privilege (899588)
Link: [url] http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx@pf?true=/url] 0>
Patch download:
Microsoft Windows 2000 Service Pack 4-download updates:
[Url] http://www.microsoft.com/downloads/details.aspx@displaylang=zh-cn! Amp; familyid = e39a3d96-1c37-47d2-82ef-0ac89905c88f [/url]
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2-download the update:
[Url] http://www.microsoft.com/downloads/details.aspx@displaylang=zh-cn! Amp; familyid = 9a3bfbdd-62ea-4db2-88d2-425e095e207f [/url] Use a network firewall or use an IP Security Policy to block port 445! This problem has appeared many recently. I have not found a very effective solution yet.
Only a few suggestions can be provided out of thin air:
1. Ensure timely updates of anti-virus software
2. Ensure system patch integrity
3. Turn off the services that are not commonly used but are dangerous, and adjust them as needed
4. Disable some dangerous ports, such as 135 137 138 139 445, and so on (Some firewalls can be used for definition)
5. The Logon account in the Administrators group makes it a little complicated to set the password (weak passwords or empty passwords are very vulnerable to attacks) There is only so much to say, and we hope to find a solution as soon as possible. It may be that the system cannot be upgraded and the attack is blocked. Install patches. Now, some software kill tools have been released. |
