Analysis of Lhsurdj.exe Virus
[Background information]
Virus name: Worm. Win32.AutoRun. elc
Virus alias: Crazy free girl Virus
Virus File Information
File: lhsurdj.exe MD5: 4F7D28EB58510D05149FE566972BDD51 SHA1: javascrc32: 4D7CD431 shell: FSG2.0 → bart/xt [Overlay]
Affected Systems: WIN9X/ME/NT/2000/XP/2003
Virus Type: Worm
Virus size: 39125 Bytes
Transmission Mode: manually download its server
[Features]
- The virus file itself is automatically deleted after execution.
- If the window title contains "virus", the window will be closed automatically. For example, if you create a folder named "virus xxx", double-click the folder and close the window; the Word file with "virus" is also closed.
- "Tools" → "Folder Options" → "show all files" on the "View" Page cannot be set, that is, the single option "show all files and folders" is missing (as a result, hidden files cannot be seen ).
When procexp.exetool is enabled, you can also see eohuylj.exe and lhsurdj.exe (red shading)
We can see that their "Description" and "company name" are blank.
Attempts to disable the process, but the process is invalid and will be automatically generated (neither can be used with the "Task Manager)
Features of rogue software
- Start the Registration Table handler program named autoruns.exe"
- Normal processes can use the "option" to "verify the code signature"
Note that on the "image hijacking" page, you can see that the virus has loaded a large string of program names and enabled shielding.
"All" Page (if anti-virus software is available, it can be defended)
[Clearing method]
1. Use the "Wsyscheck" tool (if the image is hijacked, you can start it by renaming it first)
On the "Process Management" page, you can view the two virus processes and record the image path, which is the storage path of the virus files and can track their storage locations on the disk.
Select "End selected process" or "suspend selected process" (key step)
2. Click the "File Management" page to view the disk root directory and these paths.
You can sort by creation time to further discover and analyze related suspicious files, such as autorun. inf in the root directory of each drive letter and related suspicious files (such as the lhsurdj.exe file)
The file C: \ autorun. inf and C: \ WINDOWS \ system32 \ enhuylj. inf are
[AutoRun] shell \ open = open (& O) shell \ open \ commandcmdlhsurdj.exe shell \ open \ Default = 1shell \ cmde = Resource Manager (& X) shell \ cmde \ commandcmdlhsurdj.exe
Musz1s. dll and musz2s. dll are also released files.
The most difficult to find is uuygec. dll and uuygec. nls. The file creation time is modified. Delete these files one by one,
Follow the "security check" page to get relevant documents within a limited time
Use autoruns.exe to remove two virus items in the Registry HKEY_Local_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run (the preceding check box is removed)
Press F5 (refresh) and it will not be automatically checked.
3. Use regedit in the Registry Editor to check all key-value options of lhsurdj.exeand eohuylj.exe. Delete
4. Use the Registry Editor regedit to search for all items that use uuygec. dll as the key value:
HKEY_Local_MACHINE \ SYSTEM \ ControlSet001 \ Session Manager has
PendingFileRenameOperarions, content:
\?? \ C: \ WINDOWS \ System32 \ uuygec. dll \?? \ C: \ Documents and Settings \ student \ Start Menu \ Program \ Start \ eohuylj.exe \?? \ C: \ WINDOWS \ System32 \ uuygec. nls \?? \ C: \ Documents ents and Settings \ All Users \ Start Menu \ Program \ Start \ lhsurdj.exe \?? \ C: \ WINDOWS \ System32 \ RavExt. dll \?? \ C: \ WINDOWS \ System32 \ bsmain.exe
Delete this item.
5. Restore the "Resource Manager" implicit File Viewing function:
HKEY_Local_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Explorer \ Advanced \ Folder \ Hidden \ SHOWALL
Create a Dword-type key value CheckedValue 1 to export it to the showall. reg file.
[Others]
1.360 this file can be detected, object: C: \ WINDOWS \ system32 \ enhuylj.exe
Threat: Generic. Malware. SP! Pk! G. A679068E: the file has been deleted.
2. Search for fuzzy search using regedit
HKEY_CURRENT_USER \ Software \ Microsoft \ Search Assistant \ ACMru \ 5603 000 eoh *. exe001 lhsur *. exe