Trojan Download, Aotu Virus Group comeback (specifically kill April 15 upgrade to version 1.4) _ Virus killing

The following is an analysis of the latest variants of the most rampant auto virus in two days:

A Behavior overview
The EXE is a virus downloader and it will:
1 Reference System C disk volume serial number to calculate the service name, EXE and DLL file name.
2 in each drive, place the auto virus autorun.inf and its own copy Auto.exe and add system and hidden attributes.
3 under System System32, place their own copy "random name. exe" and release "Random name. dll" and disguise them as system files with hidden attributes.
4 Modify the System key value, the system hidden file option to delete, resulting in users can not view the hidden virus files.
5) Modify the system registry and register yourself as a service boot.
6 Search Registry Startup entry whether there is a "360" string key value, with a delete, and NTSD close the program, search window contains "Jinshan Poison Pa", with the simulation operation closed. Determine whether there are Kaspersky file AVP.EXE in the process, modify the system time, make the Kabbah invalid.
7 Download Other viruses through the website file list.
8 Delete the previous version of the virus Legacy registry information.
9) "Random name. dll" will be injected into all processes in the system process remotely

Two Execution process
1. Reference C volume serial number to calculate the 8-bit random service name, EXE and DLL file name. (Remember the AV terminator?) The first to come out is random 8-digit file name EXE)
2. Search for the current file name is not Auto.exe, if you call Explorer.exe Shellexecutea Open drive.
3. Anti-virus software:
Search Registry Startup entry for "360" string key value, delete, so that after 360 can not automatically start. And then close the 360 programs that were started.
Check the current process there is no Kaspersky process AVP.EXE, some words to modify the system time, so that rely on system time to activate and upgrade the Kabbah invalidation.
The virus will also try to close the Jinshan poison tyrant it looks for the poison Tyrant's Monitor prompt window "Kavstart", after finds sends the close message through the Postmessagea, then uses Findwindowexa to search "Jinshan poison pa" sends off the message through the SendMessageA, and analog users, send click the mouse button message off. However, after testing the above methods can not close Jinshan poison Pa.

4. Compares the current file run path to a random name under the system SYSTEM32, not copying its own copy to the system SYSTEM32.

5. Inject the DLL into the system process, then release Det.bat and delete itself after running

6. Virus files inject explorer.exe or Winlogon.exe loops to wait, using their space to run themselves, to achieve covert operation.

7. Find out if there is a 360 string in the startup entry, with the deletion, and the SeDebugPrivilege elevation and NTSD close the program, the search window contains "Jinshan Poison Pa", with the simulation operation closed.

8. Tamper with related data about folder display status in the registry, remove system hidden file options.

9. Virus to find the old version of their own left registry information, delete it, easy to upgrade.

10. Download the virus list from the address specified by the virus author, download the other virus according to the list information, download one at a time, delete after the http://33.xi***id*8.cn/soft/update.txt, and then download.

In its download of virus files, there are Trojans and their own upgrade files and an international well-known brand of network voice communication software, and also contains 17 for different well-known games stolen Trojan, and in these Trojans, some of its own also have the download function. If they successfully enter the computer, they will cause more damage that cannot be estimated.

11. In addition to the theft on the machine, the virus also releases its own auto virus files Auto.exe and Autorun.inf to each partition. Autorun.inf points to Auto.exe. As long as the user with the mouse to double-click the poison disk, the virus will immediately run, search contains a U disk and other mobile memory, including all the disks, if found that the disk has not been poisoned, immediately infected, expand their range of infection.

Three Delete method
As a result of remote injection of virus DLL files including the system process in all processes, take a direct deletion of the method is not completely clear, you must delete the DLL, while removing the service, restart, in the removal of the cleanup, because the virus conversion requires a lot of time, in the start-up can not immediately release the DLL to This is also the best time to purge.

It is recommended that users use Jinshan cleanup experts to add these random 8-digit DLLs and EXE to the delete list of the file shredder and delete the files once and for all. After the reboot, the remaining registry add-in is repaired.

Four Auto Virus Special Kill tool


Download Address: http://bbs.duba.net/attachment.php?aid=16127097
Auto Trojan Group kill 1.4 Features:


Reference:

1. The processing of image hijacking
2. Treatment of msosxxx virus which makes the poison tyrant monitor and change ash
3, the Auto Trojan Horse group to deal with the download
4, to appinit_dlls treatment
5, the implementation of the hook processing

Auto Trojan Group can not replace the "Disk Machine/Machine dog/AV Terminator Kill", if there is a special kill is closed, please first use the "Disk Machine/robot dog/AV Terminator Kill."


The Kill tool can also remove the robot dog/AV Terminator/8749 virus, repair "image hijacking", repair the Autorun.inf, fix the Safe mode. Use this special kill tool after killing, please use Jinshan poison PA to carry on a comprehensive anti-virus can.
Download Address: http://www.duba.net/zhuansha/259.shtml