The sample program is a use of Delphi program, program using MEW 1.x shell attempt to evade signature scanning, length of 67,908 bytes, icon for Windows default icon, virus extension for EXE, the main way to spread the web page hanging horse, file bundle, hacker attacks.
Virus analysis
The sample program is activated to release the Systen.dll file to the%SystemRoot%\System32 directory, release the 451062.dll file (the file name is 6-bit or 7-bit random number) to the%systemroot% directory, run the batch delete itself;
Add registry phase key value to inject systen.dll into Winlogon process, get mouse keyboard event;
Connect to a remote network to download other viruses;
Communicate with hackers and accept hackers for remote control.
Technical details
Registry entries for virus additions:
Item
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows nt\currentversion\winlogon\notify\bits
Key value: DllName
Point to File:%systemroot%\system32\systen.dll
Security Tips
Users who have installed the micro-point active defense software, without any setup, will automatically protect your system from intrusion and damage by the virus. Regardless of whether you have upgraded to the latest version, micro-point active defense can effectively clear the virus. If you do not upgrade the micro-point active defense software to the latest version, micro-point active defense software after the discovery of the virus will alert you to "Discover unknown spyware", please select the removal process directly
If you have already upgraded the micro-point active defense software to the latest version, the mini will alert you to find "TROJAN-SPY.WIN32.AGENT.CFU", please select Delete directly
For users who do not use the micro-point active defense software, the micro-point antivirus expert recommends:
1, do not download the unofficial version of the software in the unknown site installation, to prevent the virus through the bundled way into your system.
2, as soon as possible to upgrade your anti-virus software feature library to the latest version of the Killing, and to open the firewall to intercept the network abnormal access, such as still have unusual circumstances please pay attention to timely contact with professional security software vendors to obtain technical support.
3, open Windows Automatic Updates, timely play a good patch.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
