A full understanding of the past and present of the disk drive virus

The occurrence of the virus outbreak of the disk drive

Disk drive virus first appeared in last February, is in the Windows system directory to generate Lsass.exe and Smss.exe files, and modify the system time for 1980, when the virus is not for the purpose of the download, there are more bugs themselves, after the invasion, easy to cause the system blue screen panic. Later variants gradually absorb the features of AV Terminator and Robot dog, and the ability to fight security software is gradually enhanced.

Disk drive virus Analysis

Disk drive virus has been a number of variants, the virus infected with the system, will be like ants move more trojans download to the local operation, to the main theft Trojan. At the same time, the disk drive virus will also download other Trojan downloads, such as AV Terminator, after the typical performance of the virus Trojan mixed infection, which the download of the ARP virus will have a serious impact on the LAN.

For ordinary computer users, after the virus invasion, in addition to security software is not available, the other functions of the system is basically normal. As a result, ordinary users found that the poisoning was after the theft of the incident, the general user does not like us to pay attention to the security software and system management tools are not able to run. And, in this case, the user is basically unable to use anti-virus software to complete the virus removal, and even want to reinstall another anti-virus software is not possible.

Performance of typical disk drive failure

Registers the global hook, scans the program window containing the commonly used security software keyword, sends the massive message, causes the security software to crash

Destroys folder options so that users cannot view hidden files

Remove values in the registry about safe mode to prevent booting to safe mode

Create a drive to protect itself. The driver can realize the power-on delete itself, shutdown to create a delay to restart the project implementation of automatic loading.

Modify the registry to make the software restriction policy in Group Policy unavailable.

Scan and delete security software registration key values, to prevent the security software boot.

Create Autorun.inf and PAGEFILE.PIF on each disk, and run function propagation automatically when you double-click a disk or insert a mobile device.

Remove the entire RUN key and its subkeys from the registry, preventing the security software from loading automatically

Release multiple virus execution programs to accomplish more tasks

The virus is loaded by means of a restart rename, located under the registry Hkey_local_machinesystemcontrolset001controlbackuprestorekeysnottorestore pending Renameoperations string.

Infection in addition to the System32 directory of other EXE files (virus infection behavior is evolving, from the infection of other partitions to the infected system partition), the most special is the virus will also unpack RAR files, infected with the EXE, and then packaged into RAR.

Download a large number of Trojans to the local run, the user ultimately damaged the situation, determined by the behavior of these Trojans.

Transmission path of virus in disk drive

USB disk/Mobile hard disk/digital memory card transmission

All kinds of Trojan downloads spread between each other

Download via malicious Web site

Propagating through infected files

Through the intranet ARP attack spreads

Disk drive virus Solution

The disk drive virus and AV Terminator, Robot dog performance is very similar, technically speaking the disk drive is more resistant to kill. From our understanding of the situation, a variety of anti-virus software can not intercept the latest variant of the disk drive, after poisoning, installation of anti-virus software failure is very high. As a result, the current scheme is to prioritize the use of disk drive killing tools.

On some computers that do not have any defensive measures, it is possible that the disk-killing tool will be deleted when it runs. According to the survey, this situation is a combination of multiple viruses caused by the invasion. In this extreme case, we can try the antivirus program there:

1. Try to boot system to Safe mode or Safe Mode with command line (may fail)

Specific measures: Before restarting, from other normal computer copy has been upgraded to the latest anti-virus software, simply the entire installation directory copy over. Run antivirus software in Safe mode, or run antivirus software at the command line. If the virus is not very sick, hopefully it will be done.

WinPE First Aid disc after the boot antivirus (WinPE not easy to get, not everyone has, need to search the Internet to find. )

WinPE start, run antivirus software.

3. Hanging from the disk antivirus (with more than one computer case, relatively easy to use)

It must be noted that in the hanging from the disk before the antivirus, the normal computer must be all the automatic operation of the disk shutdown, to avoid the use of double click to access the toxic hard drive, disable automatic operation can greatly reduce the risk of poisoning.

You run into extreme situations where the first three conditions are not available, manual anti-virus and will not, that only one recruit, the C-plate of the reload it, remember, do not double-click to open other disks or insert a potentially poisonous u disk, first install genuine anti-virus software, upgrade to the latest, disable the automatic operation of all disks.

For a better understanding of the system of friends, there are manual methods to solve these viruses, seemingly a bit difficult for everyone to refer to, I hope that friends have learned, so we do not have to be so busy.