Virus practice: Drive crazy virus impersonate folders

Recently, some netizens reported that the computer was down and nothing except the mouse could be changed. In addition, almost none of the keyboard shortcuts are available (only the "Task Manager" is available). The most strange thing is the crazy pop-up of the optical drive.

In the past, there was a virus called "Crazy Optical Drive", but "Crazy Optical Drive" is a timed attack, and the optical drive pops up once every one minute, which is inconsistent with this phenomenon.

Restart the computer, enter the user name and password to log on to the system, and the system interface appears again. In this case, the screen flashed, this process should be loading viruses.

At this point, we have basically understood the Attack Characteristics of the virus and made a preliminary judgment:

1. Use the Windows service to load the service items at startup so that all users logging on to the local machine are infected with viruses.

2. Run the virus program and enter the corresponding key value in the Registry, which only affects a single user. This is more likely.

Change another account to log on to the system, and wait for several minutes without the trend of virus attacks. In this case, virus programs are affecting computers.

".

Select it to end the process, and the computer restores the calm of the past. The first stage of detoxification is successful.

Next, let's see where the virus is hidden. Open "msconfig", start the system configuration, and select "start. See it. A well-known process name systrsy.exe appears again. What does it mean? Although the process is killed in the task manager, the virus is automatically started when the task is started again, so the virus must be completely disabled here, that is, this step is the key to removing the check in front of systrsy. After this step is completed, the virus is basically useless. To ensure security, go to the "C: Program FilesInternet assumer.exe" directory and find systrsy.exe to delete it.

Virus ontology can be solved, but it cannot be generated by itself inexplicably. There must be a source of infection, and you need to continue searching. Set the date and search all Files of the current day. After analysis, the Autorun. inf file is locked in "C: Program Files:

(Autorun)

Opentracing new file folder .exe

It is also an Autorun virus. After searching for "create folder. EXE", I finally found it on drive D and pretended to be a folder. Delete it. So far, the virus has been completely detected and the optical drive has resumed normal use.