What is the Worm.zorin.a virus?

Last Update:2017-02-28 Source: Internet

Author: User

Tags win32 microsoft frontpage firewall

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Net-worm.win32.zorin.a This is a worm that infects executable files. The virus will terminate the Jinshan poison PA, Jinshan Network Dart, Skynet firewall and other security software, greatly reducing the security performance of the user's machine; The virus releases a worm from a DLL file and injects the DLL file into the EXPLORER.EXE process; The virus modifies the hosts file, It is the user who accesses many commonly used URLs when redirected to the specified URL, which may make the user a new virus.

Summary

Virus alias: NET-WORM.WIN32.ZORIN.A[AVP]

Threat Level: ★

Chinese name:

Virus type: Worm

Impact System: WIN9X/WINNT

Virus behavior:

The virus replicates itself to a writable network disk and infects more computers in the local area network by guessing passwords; The virus also infects EXE files on all disks in the local computer, except for files in some common directories, such as System, System32, Windows, documents, and Settings, System Volume information, and so on.

Virus infection Process

Registry modifications

Releases the DLL file VirDLL.dll (WORM.LOGO.D) in the current directory and injects it remotely into the EXPLORER.EXE process.

Add registry key value:

Hkey_local_machinesoftwaresoftdownloadwww

"Auto" = "1"

The lookup window name and window class are:

RavMon.exe

Ravmonclass

Skynet Firewall Personal Edition

Tapplication

Skynet Firewall Enterprise Edition

TForm1

Phage

Tflockdownmain

Windows and close them.

Terminate process

Eghost. Exe

Mailmon. Exe

Kavpfw. Exe

KWatchUI.EXE

Iparmor. Exe

Uninstall Password anti-theft expert comprehensive version.

Modify Content

Modify the%system32driversetchosts file to redirect many commonly used Web sites to a specific URL, the virus repair at the end of the Hosts file add the following:

66.197.186.149 www.hinet.net

66.197.186.149 www.pchome.com.tw

66.197.186.149 www.msn.com.tw

66.197.186.149 www.yam.com

66.197.186.149 www.google.com.tw

66.197.186.149 www.gamer.com.tw

66.197.186.149 www.taiwankiss.com

66.197.186.149 www.sina.com.tw

66.197.186.149 www.so-net.net.tw

66.197.186.149 www.uhome.net

66.197.186.149 www.gamania.com

66.197.186.149 www.104.com.tw

66.197.186.149 www.tp.edu.tw

66.197.186.149 www.seed.net.tw

66.197.186.149 www.tw18.com

66.197.186.149 www.gamebase.com.tw

66.197.186.149 www.hello.com.tw

66.197.186.149 www.taiwandns.com

66.197.186.149 www.ithome.com.tw

66.197.186.149 www.cartoonnetwork.com.tw

66.197.186.149 bubble.com.tw

66.197.186.149 tw.ebay.com

66.197.186.149 www.microsoft.com

66.197.186.149 www.oc-gamer.com

66.197.186.149 www.igame.com.tw

66.197.186.149 www.funtown.com.tw

66.197.186.149 www.softstar.com.tw

66.197.186.149 service.gamania.com

66.197.186.149 www.gamezone.idv.tw

66.197.186.149 www.ggame.com.tw

66.197.186.149 www.gamestation.com.tw

66.197.186.149 www.lineage2.com.tw

66.197.186.149 tw.games.yahoo.com

66.197.186.149 www.iogc.com.tw

66.197.186.149 www.transakt.com.tw

66.197.186.149 www.softking.com.tw

66.197.186.149 groups.msn.com

66.197.186.149 www.mofa.com.tw

66.197.186.149 dir.pchome.com.tw

66.197.186.149 www.sa.game.tw

66.197.186.149 www.books.com.tw

66.197.186.149 www.gamemaster.com

66.197.186.149 www.newspace.com.tw

66.197.186.149 www.e-box.net.tw

66.197.186.149 gnn.gamer.com.tw

66.197.186.149 pc.gamebase.com.tw

66.197.186.149 twbbs.net.tw

66.197.186.149 www.twindex.com.tw

66.197.186.149 www.t2t.com.tw

66.197.186.149 www.girl-tw.com

66.197.186.149 www.sogi.com.tw

66.197.186.149 hdvd.com.tw

66.197.186.149 cgi.tw.ebay.com

66.197.186.149 movie.kingnet.com.tw

66.197.186.149 www.atmovies.com.tw

66.197.186.149 www.movie.com.tw

66.197.186.149 www.kokoro.com.tw

66.197.186.149 www.twgirls.net

66.197.186.149 bbs.vips.com.tw

66.197.186.149 www.symantec.com

66.197.186.149 www.symantec.com.tw

66.197.186.149 liveupdate.symantecliveupdate.com

Copy itself to a writable network disk to infect more machines, and to infect the ipc$ and admin$ of computers in the local area network by guessing passwords.

Infects the exe file on all disks in the local computer except for files in directories with the following string:

System

System32

Windows

Documents and Settings

System Volume Information

Recycled

Winnt

Windows NT

WindowsUpdate

Windows Media Player

Outlook Express

Internet Explorer

ComPlus applications

NetMeeting

Common Files

Messenger

Microsoft Office

InstallShield Installation Information

Msn

Microsoft Frontpage

Movie Maker

MSN Gaming Zone

The virus writes itself to the head of the infected file.

Purge method

2. Add registry key values:

Hkey_local_machinesoftwaresoftdownloadwww

"Auto" = "0"

Use the latest virus database anti-virus software to kill

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More