Analyze and clear the Win32.Troj. Unknown. a.412826 Virus

Author: Past Events
[IT168] Today's virus is becoming increasingly sophisticated, so that users can immediately fall into the door of harm without being careful. The win32.troj.unknown.a.412826(kvmon.exe) virus is found in the nearest network. Although the virus is not a small source, it is enough to make users feel uneasy. Its harmful capabilities allow malicious users to remotely control infected computers, in this way, the information in the victim server is leaked.
Virus analysis
The virus file name is kvmon.exe. The file size is 412829 bytes. The name of the virus file is as follows: Kingsoft drug overlord (Win32.Troj. unknown. a.412826), AVG (Generic9.AQHK), and dr. An V3 (Win-Trojan/others) executable files. The following registry items will be modified to enable the virus to start automatically after it is started:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
(Registry value) Userinit
REG_SZ, "C: WINDOWSsystem32userinit.exe ,"
Change to REG_SZ, "C: windowssystem32userinit.exe, C: windowsKvmon.exe-ini
Then, start the IE process and inject Kvmon. dll into it. Then, the Registry will be added separately and the following registry key will be read to restore the external connection and accept hacker control. The key value is as follows:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSetup
(Registry value) Beizhu = REG_SZ, "online"
(Registry value) Info = REG_SZ, "46821973"> http: // www.5311 × 0. com/vip/6880579/ip.txt> 46821973>
Launch> Remote launch host> 25> 0> 1080> guest> 123456>"
After the virus is completely released, the original program starts to use the cmd.exe program to delete old files.
Clearing method
Secret open the registry and navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon (registry value) Userinit. click Modify to modify it to C: WINDOWSsystem32userinit.exe. (TIPS: the comma cannot be omitted here, for the 2000/NT System, C: winntsystem32userinit.exe. Delete the kvmon.dlland kvmon.exe files in the Windows directory.
Security suggestions
After the virus is cleared, the user should immediately reinforce the system security and install patches, and upgrade the virus library used to kill software. The user should perform virus scanning before using a USB flash drive, mp3, and other third-party storage devices, you need to develop a good habit of right-clicking when you open any disk device to prevent the activation of unknown viruses. It is recommended that all computer operators Install patches for the system in time and upgrade the anti-virus software in the system to the data update library on the day. Enable the protection center to enable all protection, prevent viruses from intruding into the computer through IE vulnerabilities (depending on the specific requirements of the Local Machine), and establish good security habits. Do not randomly browse poor websites to download and install suspicious plug-ins, to scan the entire disk from time to time for antivirus purposes, put important data and passwords in the system under the protection of third-party security software, such as online banking and online games. Experienced users can also set related policies for the local machine, for example, use the port policy function to block various remote control ports and Trojan channels of computers, and enter gpedit in the running menu. the msc command calls up the Group Policy menu, and configures related administrator accounts, passwords, and various security management settings. Then, you can use the NTFS format for each partition, to reinforce the security of the local machine and reduce hazards.
Editor's note: Virus and Trojan are not terrible, and different virus methods are also different. As a network user, always be vigilant and enable the firewall and various types of monitoring in real time, and keep abreast of the latest virus information and methods to immediately resist the virus. To prevent malicious users from using remote control software for system data monitoring and remote control operations, so as to prevent leakage of confidential data.