Manual solution to download virus such as kav.exe

 

Virus symptoms:

 

The sample is a "downloaded by" written in "VC ++". The sample length is "22,528" bytes and the "exe" extension is used, it can be spread through file bundle, webpage Trojan, and download. The main purpose of a virus is to download a virus Trojan. If your computer is infected with this trojan, an error is reported, network access is abnormal, and unknown processes are found.

 

Infected objects:

 

Windows 2000/Windows XP/Windows 2003/Windows Vista/Windows 7

 

Communication channels:

 

File bundle, webpage Trojan, download

 

Virus analysis:

 

1. Name of the mutex for virus creation: "ACDTEST ......", It mainly prevents programs from running for multiple times.

 

2. obtain the system directory path for the virus and compare "C: \ WINDOWS \ System32 \ userinit.exe" with the virus itself to determine whether to inject the process into it. If the injection is successful, run the "C: \ WINDOWS \ assumer.exe "Open the application.

 

3. If the injection fails, escalate the virus file to the "SeDebugPrivilege" access permission, and create and modify the registry information:

 

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

 

Name: Kav

 

Data: C: \ WINDOWS \ System32 \ kav.exe www.2cto.com

 

To achieve the purpose of self-starting.

 

4. Virus creation thread, download the hosts file from the specified website, replace the local user hosts file, and modify the hosts file to the system hidden attribute to shield the following security software,

 

In addition, the operating system version, NIC address, and host name are sent to the website specified by the hacker.

 

5. Obtain the temporary file path for the virus. Create % Temp % \ ope1.tmp in the directory, download a large number of virus trojans from the specified URL to run the temporary file, and then delete them from the directory.

 

Virus File Creation:

 

% SystemRoot % \ system32 \ drivers \ etc \ hosts

 

% Temp % \ ope1.tmp

 

Create a registry for viruses:

 

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

 

Name: Kav

 

Data: C: \ WINDOWS \ System32 \ kav.exe

 

Virus access network:

 

Http: // 360cnfuck. *****. info: 9550/10825 host/1002.txt

 

Http: // www. *****. info: 3352/count. aspx

 

Http: // 360cnfuck. *****. info: 9550/id/ud.txt

 

Manual solution:

 

Manually delete an object

 

1. Delete % Temp % \ ope1.tmp

 

2. Delete the virus source program

 

3. Import the correct hosts file

 

Manually delete Registry

 

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run

 

Name: Kav

 

Data: C: \ WINDOWS \ System32 \ kav.exe

 

Variable declaration:

 

% SystemDriver % system partition, usually "C :\"

 

% SystemRoot % mongodws directory, usually "C: \ Windows"

 

% Documents and Settings % USER document directory, usually "C: \ Documents and Settings"

 

% Temp % Temporary Folder, usually "C: \ Documents and Settings \ current user name \ Local Settings \ Temp"

 

% ProgramFiles % default system program installation directory, usually "C: \ ProgramFiles"