About Virus colors unchanged five moves to identify drive viruses

Source: IT168

On July 6, March 21, rising company issued a red (level 1) security alert. Recently, a drive (Worm. Win32.Diskgen) virus is raging online, and its risk is increasing. The virus will try to shut down various anti-virus software and automatically download dozens of Trojan viruses, causing huge losses to netizens. Rising security experts said the virus was more difficult to detect and kill than pandatv. As of March 20, the number of computers infected with drive disks had reached 100,000. Currently, Rising anti-virus software users are upgraded to the latest version (ike36.32 or later) to completely defend against and kill the virus. Click here for free download.

Five steps to identify drive viruses:

1. Some anti-virus software and security software cannot run, are forcibly disabled, or are "split up" after being opened.
 
After the tool software Sreng is damaged by drive viruses

2. The security mode is damaged. When you try to enter safe mode, the blue screen is displayed, because the virus deletes the registry key related to safe mode.

3. The hidden file cannot be displayed normally, and the "Hide protected operating system file" item under the tool-Folder option is damaged.

4. Open the task manager and discover two lsass.exeand smss.exe processes.

5. Use Winrar to find the following virus files.

%Systemroot1_system32comlsass.exe

%Systemroot1_system32comsmss.exe

% Systemroot % system32cometcfg. dll

% Systemroot % system32cometcfg. 000 Summary of technical analysis on drive viruses

The virus uses rootkits technology to uninstall anti-virus software hooks from the underlying system and release its own drivers. This will invalidate the monitoring of anti-virus software and prevent viruses from being detected. In addition, viruses frequently search for antivirus software program windows and forcibly close them. Anti-virus software that does not use smart active defense technology can easily be damaged by this virus and cannot run.

After the virus runs, the NetApi000.sys virus driver is released in the root directory of the C drive. This driver is used to restore SSDT and remove all the hooks mounted to anti-virus software. In this way, many functions of anti-virus software will not be available, such as file monitoring and registry monitoring. At the same time, viruses will release smss.exe and other virus files in the system to implement process protection, making it difficult for antivirus software to thoroughly scan and kill viruses.

In addition to disabling anti-virus software, drive viruses also download dozens of Trojan viruses from websites such as http: // ** .c0mo.com and http: // ** .k0102.com, attackers attempt to steal private information such as online game account equipment and online banking passwords.