Analysis and Solutions of the worm "ENI"

The National Computer Virus emergency response center detects the "Aini" Compound virus through Internet monitoring. This virus uses Microsoft Windows System ANI (Dynamic Cursor) the vulnerability in file processing, infected executable files and local webpage files, sent emails, infected USB flash drives, and mobile storage media among others are widely spread. The virus is capable of self-propagation. After the virus is infected, the system automatically downloads and runs the trojan program, causing great harm.

The worm has many variants that spread rapidly in a short period of time after its appearance. It is difficult for infected users to completely remove them, causing a lot of inconvenience to their work.

The Analysis of worms is as follows:

Virus name: Worm_MyInfect.af

Chinese name: "ENI"

Other names: I-Worm/AniLoad (Jiangmin)

Worm. MyInfect (Jinshan)

Worm. DlOnlineGames (rising)

Virus Type: Compound

Infected systems: Windows 9X/Windows ME/Windows NT/Windows 2000/Windows XP/Windows 2003/Windows Vista

Virus features:

1. Generate a Virus File

After the virus runs, copy it to the following directory: javassysdir#sysload3.exe

2. Modify the registry key

HKCUSoftwareMicrosoftWindowsCurrentVersionRun "System Boot Check" = "javassysdir#sysload3.exe" allows viruses to run automatically as Windows starts.

3. Infected files in the system

It can infect executable files and script files in the local disk and network shared directory.

1) infect executable files

The infected file and virus are combined into a file (the infected file is pasted at the end of the virus file) to complete the infection.

2) script files

Add a bet to the end of these script files to download the script file, which contains the following code:

The above two image links use the ANI vulnerability, and the image file contains overflow attack code. Therefore, the above Noindex. js web page will be poisoned.

4. Download the specified website file

Download the trojan and virus update programs from the specified website.

5. Email transmission

Virus mail features are as follows:

Sender: I _love_cq@sohu.com

Theme: WHO and you were taken during the video? Laugh at you!

Body:

Look at your look! I think you are famous!

Look at this address! Your face is so clear! You have become a star! Http: // ***** .microfsot.com/?##/134952.htmif a user clicks a webpage with a virus, the user will be infected.

6. Others

Traverse all the drives of a-z. If the drive is "Removable Storage", create AUTORUN. INF on the drive to spread itself. If a virus file exists, the virus file is copied to tool.exe, And the autorun. inf file is generated so that the virus can run automatically to spread itself. Modify the hosts file to block multiple URLs. Most of these websites were previously used to spread other viruses.

Solution:

1. For computer users who have not been infected, install Microsoft's latest operating system patch (KB925902) as soon as possible, and promptly upgrade the anti-virus software in the system, enable the "Real-time Monitoring" function of the anti-virus software.

2. For computer users with infected variants, we recommend that you download the exclusive killer tool as soon as possible to scan and fix the virus. Install Microsoft's latest operating system patch (KB925902 ).

Download link:

Http://download.jiangmin.info/jmsoft/ANIWormKiller.exe (Jiang min Company)

Microsoft patches:

Http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx

Security suggestions:

1. Computer users on the LAN should try to avoid creating writable shared directories. users who have already created shared directories should immediately stop sharing.

2. if not necessary, Windows 2000/XP users should close IPC $ sharing and set a complex password for accounts with administrator privileges.

3. Install Microsoft Security Updates in a timely manner. Do not access websites with unknown sources.

4. install anti-virus software on the computer system and upgrade the virus definition library in time.

5. When computer users use mobile devices such as USB flash drives to exchange files, they must enable the "Real-time Monitoring" function of anti-virus software or scan it with anti-virus software, and disable the automatic playback function.

6. Users should use the default "automatic playback" function provided by the operating system with caution to prevent infection during the use of mobile storage media. You can disable this function as follows under the superuser permission:

Windows XP users:

"Start"-> "run"-> enter "gdedit. msc" and click "group policy ";

Choose Computer Configuration> management template> system;

In the settings on the right, there is a "Disable automatic playback" option. Double-click to open its properties;

Select "enabled", select all drives in the attribute box, and click "OK ";

Similarly, choose "User Preparation"> "management template"> "system;

In the settings on the right, there is a "Disable automatic playback" option. Double-click to open the property;

Select "enabled", select all drives in the attribute box, and click "OK ";

You can disable automatic playback.

Note: For Windows 2000, If you enable "Group Policy", choose "start"> "run">

Enter "mmc"-> Click OK to open the console, select "Add/delete Management Unit" in the "console" menu, click "add", and select "Group Policy"-> Add;