Through the FireWire plug is really the virus "Transformers" 160,000 pc infected

"Have always been very fond of shooting the net through the line of fire (players used to the abbreviation for CF), to see the forum that some people said CFM4 auxiliary plug-ins can be worn through the wall drilling, it was downloaded. The results did not see the auxiliary effect, the computer was forced to install some software, the account has been stolen. "The game players rush to describe their experience.

Jinshan Poison PA Safety experts pointed out that the game players in the provision of CFM4 auxiliary plug-ins Web site to download Plug-ins, is a technology-type virus. This type of technology virus with a variety of complex means of deformation successfully escaped the killing of many anti-virus software, analog mouse click to install a variety of Internet software, Jinshan poison PA will be the image of the virus named "Transformers."

Figure 1 disguised as CFm4 plug "deformation Jinshan" virus

The "Transformers" virus has infected more than 160,000 PCs, according to the statistics on the infection of the Jinshan poison Bully Cloud Security Center. Search Baidu Index, found CFM4 index rise is very obvious, so can calculate the number of injured players.

Figure 2 CFM4 's search index is growing rapidly, followed by a rise in viral infection levels

September 1, two high judicial interpretations strengthened the attack on the virus group, and the behavior of the virus group changed. The purpose of this "Transformers" virus is to promote the Internet software, for some commercial web site brush traffic to cheat the promotion of income, the stolen number is not the main function of the virus.

"Transformers" virus in the technology has many bright spots, these technical characteristics make the "Transformers" virus survival period greatly extended. After infecting 160,000 PCs, there are still many anti-virus software can not kill. These highlights include:

1.URL deformation: To promote the virus download link rapid deformation, so that anti-virus software to intercept the harmful download address of the method quickly ineffective.

2. File MD5 deformation: Download the virus file quickly updated, making reliance on MD5 identification of anti-virus software quickly invalid.

3. After downloading for some time, all malicious behavior closes: Just like the common software expiration, make antivirus software difficult to find the source of virus.

4. Use the Storm av normal exe load virus DLL: Virus execution module (. dll file) by the digital signature of the Storm program to start indirectly, to bypass antivirus software active defense.

5. Simulated mouse click Silent installation good pressure, cool disk, Lavagame (bundled background installation): This behavior of the virus is more like the user artificial operation, so that anti-virus software active defense was successfully bypassed, the virus to promote Internet software to cheat software promotion fees, this is the virus group profit is an important way.

Figure 3 Virus simulation mouse click to install promotional software to cheat antivirus software active defense

6. Background open IE, brush flow: This is one of the purposes of the virus, brush flow can be a rip-off.

7. Use the modified Fastfat.sys to load the virus driver (Fastfat.sys is normally a Windows system file), the virus uses this driver module to achieve its own protection to improve the anti-virus software to remove the difficulty.

8. Shutdown writeback: This is the virus driver's special place, when the user shuts down the computer, the virus driver will again write the program to the hard disk, guarantees that the next time, the virus program can still run automatically. This method was used widely in rogue software such as 3721.

9. "Transformers" Virus matrix and some Trojan horse bundled installation to steal through the FireWire (or other online games) account password.

Jinshan Poison PA Safety experts pointed out that this technology-type virus, Jinshan poison PA 2012 built-in K + defense can be perfectly intercepted. Some games outside users regardless of security software security warning insisted on running "plug-in" program, the result of the computer fall. On the computer "is installed" good pressure, cool disk, lavagame players can download Jinshan stubborn Trojan killed to kill the virus.

Figure 4 Jinshan Poison PA k + system defense can intercept the "Transformers" virus

Noun:

Through the line of fire: Tencent operating a South Korean network shootout game, the player is generally referred to as CF, in China has a large number of fans, at the same time online volume of up to 3 million people. Hot CF Online games attracted a large number of development and production of plug-in or auxiliary tools of the studio, which mixed with a large number of the virus for the purpose of theft, some special distribution of the site will also suddenly replace the plug-in virus.