Detailed analysis report on virus 8749 virus of rogue software

8749 virus is a typical virus-based rogue software. In the 8749 virus, the typical phenomenon is that the home page is lockedWww.8749.com. In just a few days, the 8749 virus has appeared in several variants. According to the appearance speed of variants, it is estimated that the rogue software will soon spread on the Internet on a large scale. Rogue software 8749 not only has some basic features of rogue software, but also adopts the most popular modern virus attack methods, such as deleting system files and damaging the security mode, the virus features of rogue software are very obvious. As the rogue software uses some of the latest virus attack technologies from poison King avterminator in the first half of the year, it is difficult for common users to completely clear the virus.

Virus behavior:
1. Clear HOST files by deleting files, moving files, and writing null Information

2. The virus uses the file occupation technology to protect its own program files

3. Modify the registry key to disable XP system restoration.
SoftwareMicrosoftInternet assumersearch
SoftwareMicrosoftInternet assumermain

4. Add the Registry Startup item because the virus name is randomly generated. The infected files are inconsistent with those on different computers. Modify the Registry HKLMsoftwaremicrosoftwindowscurrentversionrunonce to automatically register the component.

5. Destroy the security mode (clear all items under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot registry) so that you cannot enter the security mode debugging system. Blue Screen for starting the system to safe Mode

 
 

6. Terminate all windows with the following characters.
Btbaicai
Wopticlean
360 safe
8749 viruses
8749 kill
Kaka
Security guard
Iefix
8749.com
Clear 8749
Delete 8749

7. Sub-DLL, every 20 minutes fromHttp://up.yinlew.com: 8080/hellohost515.ini? P = % s & t = % dDownload a list of websites to block access. The downloaded files are saved in the % sys32dir % andttrs file. Similar to the following:
125.91.1.20Www.kzdh.com
125.91.1.20Www.7w.com
125.91.1.20Www.7322.com
125.91.1.20Www.7939.com
125.91.1.20Www.piaoxue.com
125.91.1.20Www.feixu.net
125.91.1.20Www.6781.com
125.91.1.20Www.7b.com.cn
125.91.1.20Www.918188.com
125.91.1.20 hao.allxue.com
125.91.1.20 good.allxue.com
125.91.1.20 baby.allxue.com
125.91.1.20Www.allxue.com
125.91.1.20 about. lank. la
125.91.1.20Www.x114x.com
125.91.1.20Www.37ss.com
125.91.1.20Www.7k. cc
125.91.1.20Www.73ss.com
125.91.1.20Www.hao123.com
125.91.1.20Www.81915.com
125.91.1.20Www.9991.com
125.91.1.20Www.my123.com
125.91.1.20Www.haokan123.com
125.91.1.20Www.5566.net
125.91.1.20Www. gjj. cc
125.91.1.20Www.2345.com
125.91.1.20Www.123wa.com
125.91.1.20Www.ku886.com
125.91.1.20Www.5icrack.com
125.91.1.20Www.jjol.cn
125.91.1.20Www.xinhai168.com
125.91.1.20 ooooos.com
125.91.1.20Www.ooooos.com
125.91.1.20Www.8757.com
125.91.1.20 4199.5009.com
125.91.1.20Www.13886.cn
125.91.1.20Www.8757.com
125.91.1.20Www.baidu345.com
125.91.1.20Www.dedewang.com
125.91.1.20 allxun.5009.cn
125.91.1.20 4199.5009.cn
125.91.1.20 yahoo.5009.cn
125.91.1.20 tom.5009.cn
125.91.1.20 zh130.5009.cn
125.91.1.20 piaoxue.5009.cn
125.91.1.20 3448.5009.cn
125.91.1.20 tthtml "rel = external>Mp3.5009.cn
125.91.1.20 fx120.5009.cn
125.91.1.20 7939.5009.cn
125.91.1.20 99488.5009.cn
125.91.1.20 7333.5009.cn
125.91.1.20Www.ld123.com
125.91.1.20Www.anyiba.com
125.91.1.20Www.999991.cn
125.91.1.20Www.hao123.cn
125.91.1.20Www.3721.com
125.91.1.20Www.haol23.com
125.91.1.20 haol23.com

8. a sys driver with the same name as the sub-DLL is generated. The driver monitors its own service registration items (independent thread monitoring and WINLOGON monitoring at startup). If it is modified by the security software, the virus will be changed back.

9. IRP_MJ_SET_INFORMATION is the underlying File System of irp hook. It protects files and cannot be deleted or renamed.

10. Hook ZwCreateFile and redirect the access operation to % sys32dir % andttrs when it accesses system32driversetchosts. This is equivalent to replacing the system hosts file with andttrs, which achieves the same effect as modifying the HOST file. You can only modify andttrs or restore the HOOK to prevent local domain name binding.

11. Hook the ZwLoadDriver to disable loading of ICESWORD (ice blade) drivers.

AppendixClearing method:
Use Jinshan cleaning experts to clear rogue software 8749