Complete Solution for ainiani Virus

Recently, a worm named ani vulnerability is very active (it has been named "ini" by the National Computer Virus emergency response center "). For a time, the media rushed to report that many users were also involved, but everyone was confused. I don't know what to do after the virus was infected? Although there are a lot of articles about the virus on the Internet, most of them are stuck in the introduction of the virus stage. Even if there are only a few simple statements about the solution, the users infected with the virus will only get a cup of water.
Li tiejun, anti-virus engineer of Kingsoft drug overlord, described in detail the prevention and solution of the virus in his blog, hoping to help users who have already been infected with the virus!

Next we will introduce the "ENI" (ani) Worm.

Virus name: Aini (alias, Mai Ying, ani worm)

English name: myinfect. af/dlonlinegames/trojan-downloader.win32.agent.bky

Technical Analysis

1. Release the virus file to the following path:

%System1_sysload3.exe

2. Modify the registry and add the following key values:

Hkcusoftwaremicrosoftwindowscurrentversionun

"System boot check" = "c: windowssystem32sysload3.exe"

3. Start the ie process, inject virus code, connect to the network to download a large number of viruses and Trojans, and download updates when new versions of viruses are detected.

4. send an email to spread itself:

Theme: WHO and you were taken during the video? Laugh at you!

Content: Look at your look! I think you are famous!

Look at this address! Your face is so clear! You have become a star!

5. The notepadprocess starts, the network shared directory, and the. exe file with the infection extension of. asp,. jsp, php, htm, aspx, and html are infected, making the virus hard to detect.

6. Modify the host file to block access to some websites.

7、detects soft drive. If a virus file exists, it is copied to its file named tool.exe and the autorun. inf file is generated so that the virus can run automatically to spread itself.

 

This should be a virus compilation bug. At present, the software drive has been basically eliminated. If you find the following prompt box, you may be in the "love you" virus.
Clear steps
 

1. there are many Trojans and viruses that exploit the ani vulnerability, and there are also many variants of the Aini virus. Moreover, Aini is an infected worm that can infect files that destroy the exe program and webpage format, first, we recommend that you use anti-virus software.

2. manually check and kill the process of notepad.exeand iexplore.exe first

3. Delete the virus startup Item:

[Hkey_current_usersoftwaremicrosoftwindowscurrentversionun]

"System boot check" = "Your system=sysbmw.exe"

4. Delete the referenced virus file:

%System1_sysbmw.exe

% System % sys_ini.ini

Protection measures:

1. Do not click any links sent via msn, qq, or email.

2. Pay attention to the vulnerability patch information released by Microsoft. Please download and install it immediately after the vulnerability is released.

3. Upgrade anti-virus software. At present, Kingsoft drug overlord has upgraded to provide an immune program for the ani vulnerability itself and the Aini worm, which can effectively prevent such virus infection when accessing the Internet.

Appendix: how to deal with the virus crisis caused by the ani vulnerability?

Last week, Kingsoft anti-virus Center found that some websites spread Trojans by exploiting the windows animation cursor (ani) File Vulnerability. These Trojans generally aim at hacking. Microsoft has not released a patch for this vulnerability. At the same time, the Internet has used this vulnerability as a web Trojan generator.

The hosts file also downloads other Trojans and virus programs. virus transmission over the LAN may cause a large area of paralysis on the Intranet. Even more seriously, the spread of Microsoft animation cursor (ani) vulnerability has not spared the vista system, which is hard-working in terms of security, users who browse web pages or emails with malicious code will immediately be infected with the virus. The Kingsoft anti-virus Center has provided immunization programs for the risk of this vulnerability. According to the latest statistics, the immune device successfully prevented more than 30 thousand attacks within one day.

Vulnerability performance:

When you access a webpage with viruses, you may feel that the ie window is slow, and sometimes the ie window loses response. Some anti-virus software reports Trojans or viruses. However, this phenomenon may only be noticed by a few users, but most users do not feel obvious.

Affected Operating Systems:

Windows 2000

In windows xp 32/64

Windows 2003 32/64

Windows vista 32/64

Affected browsers:

Ie6, ie7, firefox, and opera

Other affected applications:

Qq, msn, email client, acdsee, rss reader

Clear method:

This vulnerability can be exploited to spread a large number of Trojans and viruses. Moreover, the "ini" worm will also infect executable programs, making it more difficult to manually scan and kill. Likewise, because of the large number of such viruses, Kingsoft anti-virus center will not provide exclusive killing tools for this vulnerability. We recommend that you install Kingsoft drug overlord and immediately upgrade it to the latest virus database to clear viruses and Trojans that are known to be exploited by this vulnerability. Once an enterprise user discovers the "ENI" virus on the Intranet, they should immediately scan and kill the virus on the entire network. Kingsoft's emergency update in April 3 also provided the immune function against the "ini" worm, which can prevent the spread of these worms through other channels.
 
The vulnerability name is: The Remote Code Execution (925902) caused by the gdi vulnerability affects all windows systems based on the nt architecture. The security level is high. It is recommended that all users update the vulnerability immediately. The patch replaces kb912919 released in. Microsoft also released a patch for seven operating systems.
Http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx

The download page for operating system patches (kb925902) of each version does not require genuine verification:

Windows xp

Windows xp x64

Windows vista

Windows vista x64

Windows 2003

Windows 2003x64

Windows 2000