Net-worm.win32.zorin.a This is a worm that infects executable files. The virus will terminate the Jinshan poison PA, Jinshan Network Dart, Skynet firewall and other security software, greatly reducing the security performance of the user's machine; The virus releases a worm from a DLL file and injects the DLL file into the EXPLORER.EXE process; The virus modifies the hosts file, It is the user who accesses many commonly used URLs when redirected to the specified URL, which may make the user a new virus.
Summary
Virus alias: NET-WORM.WIN32.ZORIN.A[AVP]
Threat Level: ★
Chinese name:
Virus type: Worm
Impact System: WIN9X/WINNT
Virus behavior:
The virus replicates itself to a writable network disk and infects more computers in the local area network by guessing passwords; The virus also infects EXE files on all disks in the local computer, except for files in some common directories, such as System, System32, Windows, documents, and Settings, System Volume information, and so on.
Virus infection Process
Registry modifications
Releases the DLL file VirDLL.dll (WORM.LOGO.D) in the current directory and injects it remotely into the EXPLORER.EXE process.
Add registry key value:
Hkey_local_machinesoftwaresoftdownloadwww
"Auto" = "1"
The lookup window name and window class are:
RavMon.exe
Ravmonclass
Skynet Firewall Personal Edition
Tapplication
Skynet Firewall Enterprise Edition
TForm1
Phage
Tflockdownmain
Windows and close them.
Terminate process
Eghost. Exe
Mailmon. Exe
Kavpfw. Exe
KWatchUI.EXE
Iparmor. Exe
Uninstall Password anti-theft expert comprehensive version.
Modify Content
Modify the%system32driversetchosts file to redirect many commonly used Web sites to a specific URL, the virus repair at the end of the Hosts file add the following:
66.197.186.149 www.hinet.net
66.197.186.149 www.pchome.com.tw
66.197.186.149 www.msn.com.tw
66.197.186.149 www.yam.com
66.197.186.149 www.google.com.tw
66.197.186.149 www.gamer.com.tw
66.197.186.149 www.taiwankiss.com
66.197.186.149 www.sina.com.tw
66.197.186.149 www.so-net.net.tw
66.197.186.149 www.uhome.net
66.197.186.149 www.gamania.com
66.197.186.149 www.104.com.tw
66.197.186.149 www.tp.edu.tw
66.197.186.149 www.seed.net.tw
66.197.186.149 www.tw18.com
66.197.186.149 www.gamebase.com.tw
66.197.186.149 www.hello.com.tw
66.197.186.149 www.taiwandns.com
66.197.186.149 www.ithome.com.tw
66.197.186.149 www.cartoonnetwork.com.tw
66.197.186.149 bubble.com.tw
66.197.186.149 tw.ebay.com
66.197.186.149 www.microsoft.com
66.197.186.149 www.oc-gamer.com
66.197.186.149 www.igame.com.tw
66.197.186.149 www.funtown.com.tw
66.197.186.149 www.softstar.com.tw
66.197.186.149 service.gamania.com
66.197.186.149 www.gamezone.idv.tw
66.197.186.149 www.ggame.com.tw
66.197.186.149 www.gamestation.com.tw
66.197.186.149 www.lineage2.com.tw
66.197.186.149 tw.games.yahoo.com
66.197.186.149 www.iogc.com.tw
66.197.186.149 www.transakt.com.tw
66.197.186.149 www.softking.com.tw
66.197.186.149 groups.msn.com
66.197.186.149 www.mofa.com.tw
66.197.186.149 dir.pchome.com.tw
66.197.186.149 www.sa.game.tw
66.197.186.149 www.books.com.tw
66.197.186.149 www.gamemaster.com
66.197.186.149 www.newspace.com.tw
66.197.186.149 www.e-box.net.tw
66.197.186.149 gnn.gamer.com.tw
66.197.186.149 pc.gamebase.com.tw
66.197.186.149 twbbs.net.tw
66.197.186.149 www.twindex.com.tw
66.197.186.149 www.t2t.com.tw
66.197.186.149 www.girl-tw.com
66.197.186.149 www.sogi.com.tw
66.197.186.149 hdvd.com.tw
66.197.186.149 cgi.tw.ebay.com
66.197.186.149 movie.kingnet.com.tw
66.197.186.149 www.atmovies.com.tw
66.197.186.149 www.movie.com.tw
66.197.186.149 www.kokoro.com.tw
66.197.186.149 www.twgirls.net
66.197.186.149 bbs.vips.com.tw
66.197.186.149 www.symantec.com
66.197.186.149 www.symantec.com.tw
66.197.186.149 liveupdate.symantecliveupdate.com
Copy itself to a writable network disk to infect more machines, and to infect the ipc$ and admin$ of computers in the local area network by guessing passwords.
Infects the exe file on all disks in the local computer except for files in directories with the following string:
System
System32
Windows
Documents and Settings
System Volume Information
Recycled
Winnt
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
Msn
Microsoft Frontpage
Movie Maker
MSN Gaming Zone
The virus writes itself to the head of the infected file.
Purge method
2. Add registry key values:
Hkey_local_machinesoftwaresoftdownloadwww
"Auto" = "0"
Use the latest virus database anti-virus software to kill