Virus parsing and clearing solution for "ENI" (ANI)

 
Edit Comment: A worm with the ANI vulnerability is very active (it has been named "ini" by the National Computer Virus emergency response center "). For a time, the media rushed to report that many users were also involved, but everyone was confused. I don't know what to do after the virus was infected? Although there are a lot of articles about the virus on the Internet, most of them are stuck in the introduction of the virus stage. Even if there are only a few simple statements about the solution, the users infected with the virus will only get a cup of water.
--------------------------------------------------------------------------------

Li tiejun, anti-virus engineer of Kingsoft drug overlord, described in detail the prevention and solution of the virus in his blog, hoping to help users who have already been infected with the virus!
The following describes the "ENI" (ANI) Worm.
Virus name: Aini (alias, Mai Ying, ANI worm)
English name: MyInfect. af/DlOnlineGames/Trojan-Downloader.Win32.Agent.bky
Technical analysis:
1. Release the virus file to the following path:
%System1_sysload3.exe

2. Modify the registry and add the following key values:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
"System Boot Check" = "C: WINDOWSsystem32sysload3.exe"

3. Start the IE process, inject virus code, connect to the network to download a large number of viruses and Trojans, and download updates when new versions of viruses are detected.
4. send an email to spread itself:
Theme: WHO and you were taken during the video? Laugh at you!
Content: Look at your look! I think you are famous!
Look at this address! Your face is so clear! You have become a star!

5. The notepadprocess starts, the network shared directory, and the. exe file with the infection extension of. ASP,. JSP, PHP, HTM, ASPX, and HTML are infected, making the virus hard to detect.
6. Modify the host file to block access to some websites.
7、detects soft drive. If a virus file exists, it is copied to its file named tool.exe and the autorun. inf file is generated so that the virus can run automatically to spread itself.
This should be a virus compilation BUG. At present, the software drive has been basically eliminated. If you find the following prompt box, you may be in the "love you" virus.
Clear steps:
1. there are many Trojans and viruses that exploit the ANI vulnerability, and there are also many variants of the Aini virus. Moreover, Aini is an infected worm that can infect files that destroy the EXE program and webpage format, first, we recommend that you use anti-virus software.
2. manually check and kill the process of notepad.exeand iexplore.exe first
3. Delete the virus startup Item:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"System Boot Check" = "Your system=sysbmw.exe"

4. Delete the referenced virus file:
%System1_sysbmw.exe
% System % sys_ini.ini

Protection measures:
1. Do not click any links sent via MSN, QQ, or email.
2. Pay attention to the vulnerability patch information released by Microsoft. Please download and install it immediately after the vulnerability is released.
3. Upgrade anti-virus software. At present, Kingsoft drug overlord has upgraded to provide an immune program for the ANI vulnerability itself and the Aini worm, which can effectively prevent such virus infection when accessing the Internet.
Appendix: how to deal with the virus crisis caused by the ANI vulnerability?
Last week, Kingsoft anti-virus Center found that some websites spread Trojans by exploiting the Windows animation cursor (ANI) File Vulnerability. These Trojans generally aim at hacking. Microsoft has not released a patch for this vulnerability. At the same time, the Internet has used this vulnerability as a web Trojan generator.
The hosts file also downloads other Trojans and virus programs. virus transmission over the LAN may cause a large area of paralysis on the Intranet. Even more seriously, the spread of Microsoft animation cursor (ANI) vulnerability has not spared the Vista system, which is hard-working in terms of security, users who browse Web pages or emails with malicious code will immediately be infected with the virus. The Kingsoft anti-virus Center has provided immunization programs for the risk of this vulnerability. According to the latest statistics, the immune device successfully prevented more than 30 thousand attacks within one day.
Vulnerability performance:
When you access a webpage with viruses, you may feel that the IE window is slow, and sometimes the IE window loses response. Some anti-virus software reports Trojans or viruses. However, this phenomenon may only be noticed by a few users, but most users do not feel obvious.
Affected Operating Systems:
Windows 2000
In Windows XP 32/64
Windows 2003 32/64
Windows Vista 32/64

Affected browsers:
IE6, IE7, Firefox, and Opera

Other affected applications:
QQ, MSN, email client, AcdSee, RSS reader

Clear method:
This vulnerability can be exploited to spread a large number of Trojans and viruses. Moreover, the "ini" worm will also infect executable programs, making it more difficult to manually scan and kill. Likewise, because of the large number of such viruses, Kingsoft anti-virus center will not provide exclusive killing tools for this vulnerability. We recommend that you install Kingsoft drug overlord and immediately upgrade it to the latest virus database to clear viruses and Trojans that are known to be exploited by this vulnerability. Once an enterprise user discovers the "ENI" virus on the Intranet, they should immediately scan and kill the virus on the entire network. Kingsoft's emergency update in April 3 also provided the immune function against the "ini" worm, which can prevent the spread of these worms through other channels.
How does ANI vulnerability immunity work?
The ANI vulnerability immune function intercepts harmful ANI files immediately when they are downloaded to the local device, and does not give ie a chance to load the ANI file, thus avoiding attacks by exploiting the ANI vulnerability.
The immune function of the Aini virus is an immune program specially developed by the drug overlord for the "Aini" worm virus, because the Aini virus has similar transmission characteristics as the pandatv incense, after the anti-virus function of the drug overlord is enabled, it can prevent the spread of the "ENI" worm through other channels.
Preventive measures:
1. Microsoft has not released any patch for this vulnerability. We recommend that you install anti-virus software immediately and upgrade it to the latest version to reduce security risks.
2. KingSoft Antivirus stand-alone and enterprise clients have integrated the immune function for the animation cursor (ANI) vulnerability. After the upgrade, you can prevent downloading Trojans and virus programs that exploit this vulnerability.
3. currently, this vulnerability affects almost all Internet browsers, and insecure web browsing can be poisoned. At present, some websites have been found to be implanted with special ANI files containing the animation cursor vulnerability. Remind the majority of netizens and friends not to easily click links sent through QQ, MSN, email, and other web pages.
4. remind the webpage editor to immediately Use anti-virus software to check the local webpage files and clear the virus code embedded in the webpage due to the damage caused by the "ini" virus, prevent other netizens from visiting the webpage with viruses and getting poisoned again and again.