Recently a friend asked me about how to clean up these viruses. The words are not very detailed, now put a detailed analysis and countermeasures bar.
1, open the system "Show hidden Files" and download the appropriate anti-virus software and the gold-metal EXE repair tool (IMPORTANT)
2, view your system process end suspicious virus trojan program (user name is your current user) such as: Rundl132.exe Svchost32.exe Logo1_.exe may also have SERVICES.EXE SMSS. EXE and other disguised system Trojans. You can use Tskill to end these processes.
3, find the path and delete the Trojan, and then create a new file with the same name, and set to read-only properties (this is very important), (generally in C:\windows, C:\Program Files \ You can search to find the path of the Trojan Horse.)
4. Modify the registration form. Start the project in the registration form for all Trojan starter items, search the registry for Rundl132.exe and Logo1_.exe and remove it.
5, use the Gold Repair tool to repair all infected EXE files. (Can be done in safe mode)
The following is the principle of the virus (collected online)
Process files: rundl132 or Rundl132.exe
Process Location: windir
Program Name: Troj_autocrat.b.enc or WORM.VIKING.CP
Application: Backdoor Trojan virus to steal information mainly. Or the latest virus name: WORM.VIKING.CP Chinese Name: worm variant CP
Program Author:
System process: No
Background program: Yes
Use Network: Yes
Hardware Related: No
Security Level: Low
Process Analysis: The virus modifies the Win.ini file implementation from boot, using the Rundl132.exe file name similar to Rundll32.exe. The virus runs after the backdoor port, allowing a malicious attacker to control the computer.
Virus Name: WORM.VIKING.CP
Chinese name: worm variant CP
Release Vidll.dll to any executable directory.
The virus modifies the registry to create Run/timer entries to implement the Autostart, virus files include: 0Sy.exe 1Sy.exe 2Sy.exe 3Sy.exe 4Sy.exe 5Sy.exe 6Sy.exe, 7Sy.exe 8Sy.exe 9Sy.exe and 0~9.exe and so on.
Profile ID: CISRT2006004
Virus name: WORM.WIN32.VIKING.I (AVP)
Virus alias: WORM.VIKING.BP (Rising)
Virus size: 27,194 bytes
Adding Shell way: upack
Sample md5:fe498f7687658c33547d72151111b93f
Discovery Time: 2006.5.30
Update Time: 2006.6.1
Associated virus:
Transmission way: Through the QQ tail, malicious website spread
Technical Analysis:
1. Create files after running:
%windows%\rundl132.exe
\vdll.dll (current directory)
2, set up from the start:
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load" = "%windows%\rundl132.exe"
3, VDll.dll will insert Explorer.exe or iexplore.exe process.
4, the virus will use NET command to stop the Poison tyrant service:
net stop "Kingsoft AntiVirus Service"
5, try to access the shared network ipc$ and admin$, send ICMP with "Hello,world" detection.
6, some of the generated records file:
C:\gamevir.txt
C:\1.txt
C:\log.txt
7, Variant Logo1_.exe will infect (bundle) the. exe file, in this Rundl132.exe test did not find the infection (bundle). exe file.
Infected (bundled). exe files, but do not infect (bundle) the. exe in the following directory:
System
System32
Windows
Documents and Settings
System Volume Information
Recycled
Winnt
Program Files
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
Msn
Microsoft Frontpage
Movie Maker
MSN Gaming Zone
8, try to modify the Hosts file:
%system32%\drivers\etc\hosts
9, add registry information:
[Hkey_local_machine\software\soft\downloadwww]
"Auto" = "1"
10, try to access the network to download other Trojan virus, there is wow, the journey, QQ tail and other Trojans.
1. In the system directory to generate some virus files, there are 0sy.exe, to 9sy.exe, there are icons for QQ, the figure for the Thunder, for Real player, anyway is very easy to cheat your icon, the name is Rundl132.exe (32 ago is a 1 is not L, Rundll32.exe is a system file, is it very deceptive? )
2. The Thunder and WinRAR of the program files to replace so that you can not run these two programs, the other program has not been replaced I do not know, anyway I saw the two software is so.
3. Open the Process Manager to see Rundl1.exe cmd.exe winxxx.exe xxx is numeric and random and under C:\Documents and Settings\ your username \local Settings\Temp
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.