"A few days ago, pandatv burned out the computer and just drove away the 'national trease' for a few days. Today, after downloading a small tool online, the machine started to run slowly, there are several program icons that turn into the portrait of a handsome guy. The eyes are highlighted like the light bulb, and it is estimated that it is virus again. It is really depressing!" Mr. Chen reluctantly said.
Dai Guangjian, an anti-virus expert of Kingsoft drug overlord, pointed out that this is an infectious virus named "Win32.WizardBoy. a", also known as "light bulb male" or "Dancing male ". The virus can infect executable files with the extension exe and scr and spread over the lan. When the Network is available, the virus will also download other viruses from the Internet.
According to Kingsoft's drug overlord experts, the "light bulb male" and "pandatv incense" are very similar in terms of virus behavior. Although the "light bulb male" has not experienced a large-scale outbreak yet, however, users still need to be vigilant. The following is a detailed analysis of the virus by a drug overlord expert, hoping to help users.
Virus Behavior Analysis of Win32.WizardBoy.
1. Release the virus file to C:/Program Files/Internet Explorer/icwtutor.com and release the virus dll file to C:/Program Files/Internet Explorer/PLUGINS/nppd32.dat, if the infected file is contained, the process of creating a normal file is running.
2. Add the following registry key:
[HKLM/Software/Microsoft/Windows/CurrentVersion/Run]
"Internet Explorer Server" = "C:/Program Files/Internet Explorer/icwtutor.com"
3. Start the IE process, inject the Virus File nppd32.dat into the IE process, read the virus from the following URL, and download the virus. The URL is encrypted.
Http://www.04080.com/vip/1.txt
The decrypted virus address is as follows:
Http://www.04080.com/vip/mhxy.exe
Http://www.04080.com/vip/gezi.exe
Http://www.04080.com/vip/huaxia.exe
Http://www.04080.com/vip/wlwz.exe
Http://www.04080.com/vip/mlbb.exe
Http://www.04080.com/vip/datang.exe
Search all files with the extension .exe and. scr and infect them.
5. Try to write/C $ // AutoExec. bat over the LAN to spread itself. If the remote infection is successful, the system automatically runs autoexec. bat to start the virus after the system restarts.
6. Files after virus infection become as marked
Solution:
1. restart the system, press F8, and select the security mode with network connection
2. Go to the Kingsoft website and directly execute update.exe to Upgrade anti-virus software to the latest version.
3. Scan and repair infected execution files in full Mode
4. Delete the Registry Startup item HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
Internet Explorer Server ---> C:/Program Files/Internet Explorer/icwtutor.com
And file C:/Program Files/Internet Explorer/icwtutor.com
Protection suggestions:
1. We recommend that you install system patches at least once a month using a Windows Update or Kingsoft drug overlord vulnerability Repair Tool;
2. Set a complex administrator password for the system administrator account. The secure password is a combination of letters, numbers, and special characters, with at least seven digits.
Modify method: Right-click my computer, select Manage, browse to local users and groups, find the administrator user in the space on the right, right-click, and select modify password.
3. Use the Control Panel to ensure that Windows Firewall is enabled or that Kingsoft network firewall is enabled, which can effectively block virus intrusion.
4. Close unnecessary shared files by right-clicking my computer, selecting manage, browsing to shared folders, and stopping unnecessary shared folders in the right pane.