A friend recently asked me how to clean up these viruses. I am not talking about it in detail. Now I am posting a detailed analysis and countermeasures.
1. Open "Show Hidden Files" in the system and download the corresponding anti-virus software and maintenance tool EXE (important)
2. Check that your system process ends with a suspicious virus Trojan program (the user name is your current user). For example, rundl132.exe svchost32.exe logocmd.exe may also contain disguised system trojans such as SERVICES. exe smss. EXE. You can use tskill to end these processes.
3. Locate and delete the trojan, create a file with the same name, and set it to a read-only attribute (this is very important) (generally in C: \ windows, C: \ Program Files \ you can search to find the path of the Trojan.
4. Modify the registry. In the registry, you can search for rundl132.exeand logocmd.exe in the Registry and delete them.
5. Use the maintenance tool to repair all infected exe files. (This can be done in Security Mode)
The following is how the virus works (collected online)
Process file: rundl132 or rundl132.exe
Process location: windir
Program name: Troj_AutoCrat. B .enc or Worm. Viking. cp WeiJin
Program purpose: Backdoor trojans are mainly used to steal information. Or the latest virus name: Worm. Viking. cp. Chinese name: "Wei Jin" Worm variant CP
Author:
System Process: No
Background Program: Yes
Network used: Yes
Hardware related: No
Security level: low
Process Analysis: this virus modifies the win.ini file and uses the rundl132.exe file name with rundll32.exestarted. After the virus runs, open the backdoor port to allow malicious attackers to control the computer.
Virus name: Worm. Viking. cp
Chinese name: CP
Release vidll. dll to any executable file directory.
This virus modifies the Registry to create the Run/Timer entry to enable automatic startup. The virus files include 0Sy.exe 1Sy.exe 2Sy.exe 3Sy.exe 4Sy.exe 5Sy.exe 6Sy.exe 7Sy.exe 8Sy.exe 9Sy.exe and 0 ~ 9.exe and so on.
File No.: CISRT2006004
Virus name: Worm. Win32.Viking. I (AVP)
Virus alias: Worm. Viking. bp (rising)
Virus size: 27,194 bytes
Shelling method: UPack
Sample MD5: fe498f7687658c33547d72151111b93f
Time detected: 2006.5.30
Updated on: 2006.6.1
Associated Virus:
Spread by QQ tail and malicious websites
Technical analysis:
1. Create a file after running:
% Windows % \ rundl132.exe
\ VDll. dll (current directory)
2. Create a self-starting item:
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows]
"Load" = "% Windows % \ rundl132.exe"
32.16vdll.dllwill be inserted into the assumer.exeor iexterne.exe process.
4. The virus uses the net command to stop the drug overlord service:
Net stop "Kingsoft AntiVirus Service"
5. Try to access the shared network ipc $ AND admin $, and send ICMP requests with "Hello, World" detection.
6. Some generated record files:
C: \ gamevir.txt
C: \ 1.txt
C: \ log.txt
Hosts file.
Infection (bundle. EXE file, but not infection (bundle to directory .exe:
System
System32
Windows
Documents and Settings
System Volume Information
Recycled
Winnt
Program Files
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
MSN
Microsoft Frontpage
Movie Maker
MSN Gaming Zone
8. Try to modify the HOSTS file:
% System32 % \ drivers \ etc \ hosts
9. Add the registry information:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Soft \ DownloadWWW]
"Auto" = "1"
10. Try to access the network to download other Trojan viruses, including WOW, journey, and QQ tail.
(The prefix of "32" is "1". "rundll32.exe" is a system file. Is it a lie ?)
2. Replace the program files of thunder and winrar so that you cannot run these two programs. I don't know if other programs have been replaced. I see the two software.
3.The logging manager can see that rundl1.exe cmd.exe winxxx.exe xxx is a random number and is in C: \ Documents and Settings \ your USERNAME \ Local Settings \ temp.