Home > Others

Analysis and manual solution of the "animal" virus (soft Terminator killing) page 1/2

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Recently, many people have known this "animal" virus. It is called the "animal" virus because after the virus runs, in the folder option, the text of the hidden file is changed to "the animal is still a little pity, and I have no, so I am not a beast."

This virus is actually the original niu.exe variant, but this variant has greatly increased many new "functions", and the system will be completely unprotected with the help of animal viruses and other Trojans. there is almost no chance of saving the system without any tools

The virus has the following guilt:
1. Disable some system self-protection functions (automatic update, firewall, etc.) in security mode)
2. IFEO image hijacking anti-virus software and common security tools
3. Disable Task Manager
4. Modify the Home Page
5. Close the window with the words "Antivirus"
6. Infected html and other webpage files
7. Delete the gho file so that the user cannot restore the system
8. USB flash drive
9. Download a variety of Trojans and rogue software (up to 20 Trojans)

The following is a detailed analysis of viruses.

1. Release the following files:
% System32 % \ crsss.exe
Autorun. inf and niu.exe are generated under each partition.
2.call reg.exe to perform the following operations:

Add your own startup project
Add hklm \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run/V crsss/T REG_SZ/D

Disable windows automatic update
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ WindowsUpdate/v DisableWindowsUpdateAccess/t REG_dword/d 00000001/f

Disable Task Manager
Add HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System/v DisableTaskMgr/t REG_dword/d 00000001/f

Damage the hidden file and change the option name to "the animal is still a little pity, and I have no,
So I am not an animal"
Delete HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL/f
Add HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ NOHIDDEN/v Text/t REG_SZ/d animals have a little pity, but I have no, so I am not an animal. /f
Sabotage Security Mode
Delete HKLM \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318}/f
Delete HKLM \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318}/f
Delete HKLM \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318}/f
Delete HKLM \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318}/f
3. Add the following Image hijacking project to HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ to point to % system32 % \ crsss.exe (limited space, only textures)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
foundations of machine learning solution manual statistics and data analysis for financial engineering solution terminator part 2 call of duty 1 and 2 audacity 2 1 2 manual call of duty black ops 1 and 2 killing season a e season 2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More