How to kill a shameless random 7-character Virus

Source: Internet
Author: User

Virus fingerprint:

SHA-160: DA14DDB10D14C568B62176AAB738B0C479A06863
MD5: C505733FFDDA0394D404BD5BB652C1A6
RIPEMD-160: 109ef9736ad4966094c096e57b477b7572b7ed9c
CRC-32: FF6E4568

Virus size: 43,900 bytes

Connection Network download virus:

Input address: 61.152.20.252
Address: Shanghai Telecom IDC

The following virus files are randomly generated on the local machine:

Meex.com%rmwaccq.exe%wojhadp.exe%nqgphqd.exe, autorun. inf

Download and run the following file:

1a11.exe00002b12.exe00003c13.exe00002b12.exe

Generate a random hiv file for mutual process defense

Destroys the security mode;

. Upack: 00408184 s_SystemControl db 'System \ ControlSet001 \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318} ', 0
. Upack: 00408184; data xref: sub_407CF4 + 6B o
. Upack: 004081D9 align 4
. Upack: 004081DC s_T db 0FFh, 0FFh, 0FFh, 0FFh, 't', 0
. Upack: 004081E2 align 4
. Upack: 004081E4 s_SystemContr_0 db 'System \ ControlSet001 \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318} ', 0
. Upack: 004081E4; data xref: sub_407CF4 + 7A o
. Upack: 00408239 align 4
. Upack: 0040823C s_X db 0FFh, 0FFh, 0FFh, 0FFh, 'x', 0
. Upack: 00408242 align 4
. Upack: 00408244 s_SystemCurrent db 'System \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318} ', 0
. Upack: 00408244; data xref: sub_407CF4 + 89 o
. Upack: 0040829D align 10 h
. Upack: 004082A0 s_X_0 db 0FFh, 0FFh, 0FFh, 0FFh, 'x', 0
. Upack: 004082A6 align 4
. Upack: 004082A8 s_SystemCurre_0 db 'System \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318} ', 0
. Upack: 004082A8; data xref: sub_407CF4 + 98 o
. Upack: 00408301 align 4
. Upack: 00408304 dd 0 FFFFFFFFh, 0Ch

Destroy the hidden file option:
. Upack: 0040830C s_Checkedvalue db 'checkedvalue', 0; data xref: sub_407CF4 + A7 o
. Upack: 00408319 align 4
. Upack: 0040831C s_Q db 0FFh, 0FFh, 0FFh, 0FFh, 'Q', 0
. Upack: 00408322 align 4
. Upack: 00408324 s_SoftwareMicro db' software \ microsoft \ windows \ currentversion \ explorer \ advanced \ folder \ hidden \ showall', 0

Enable automatic playback;

. Upack: 00408524 s_SoftwareMic_4 db' SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer ', 0
. Upack: 00408524; data xref: sub_407CF4 + 201 o
. Upack: 00408560; char s_Nodrivetypeau []
. Upack: 00408560 s_Nodrivetypeau db 'nodrivetypeautorun ', 0; data xref: sub_407CF4 + 21A o

Disable and disable the AVP, wuauserv, wscsvc, RsRavMon, RsCCenter, and RSPPSYS services.

. Upack: 004085CC; char s_SystemCurre_5 []
. Upack: 00408600 s_SystemCurre_6 db 'System \ CurrentControlSet \ Services \ RSPPSYS ', 0
. Upack: 00408600; data xref: sub_407CF4 + 2D9 o
. Upack: 0040862A align 4
. Upack: 0040862C; char s_SystemCurre_7 []
. Upack: 0040862C s_SystemCurre_7 db 'System \ CurrentControlSet \ Services \ rsccenter', 0
. Upack: 0040862C; data xref: sub_407CF4 + 30F o
. Upack: 00408658; char s_SystemContr_1 []
. Upack: 00408658 s_SystemContr_1 db 'System \ ControlSet001 \ Services \ rsccenter', 0
. Upack: 00408658; data xref: sub_407CF4 + 345 o
. Upack: 00408680; char s_SystemContr_2 []
. Upack: 00408680 s_SystemContr_2 db 'System \ ControlSet001 \ Services \ RsRavMon ', 0
. Upack: 00408680; data xref: sub_407CF4 + 37B o
. Upack: 004086A7 align 4
. Upack: 004086A8; char s_SystemContr_5 []
. Upack: 004086A8 s_SystemContr_5 db 'System \ ControlSet001 \ Services \ wscsvc ', 0
. Upack: 004086A8; data xref: sub_407CF4 + 3B1 o
. Upack: 004086CD align 10 h
. Upack: 004086D0; char s_SystemContr_3 []
. Upack: 004086D0 s_SystemContr_3 db 'System \ ControlSet001 \ Services \ wuauserv', 0
. Upack: 004086D0; data xref: sub_407CF4 + 3E7 o
. Upack: 004086F7 align 4
. Upack: 004086F8; char s_SystemContr_4 []
. Upack: 004086F8 s_SystemContr_4 db 'System \ ControlSet002 \ Services \ avp', 0
. Upack: 004086F8; data xref: sub_407CF4 + 41D o

Image hijacking (IFEO) for multiple security tools, system programs, and anti-virus software)

Because too many samples are not listed, it is the same as the previous virus sample hijacking. For details, see the articles on friend cosine function.

Solution

UseProcexp.exe pausedVirus process, enter"System32AfterTime-based iconFind the virus file and delete it:

RenameAutorunsOpen and findImage hijackingItem onlyYour Image File Name Here without a pathDelete all other items

OpenAcdsee deletes virus files and autorun. inf scripts under each drive letter.,Do not use the right-click to open or resource manager,

[AutoRun]
Opentracing nqgphqd.exe
Shell \ open = open (& O)
Shell \ open \ commandpolicnqgphqd.exe
Shell \ open \ Default = 1
Shell \ lead E = Resource Manager (& X)
Shell \ cmde \ commandpolicnqgphqd.exe

The security mode and the hidden file registry are fixed as follows (Save the following file as the reg file and double-click it to import the Registry ):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318}]
@ = "DiskDrive"

[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318}]
@ = "DiskDrive"

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL]
"RegPath" = "Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
"Type" = "radio"
"CheckedValue" = dword: 00000001

The virus inserted these two Common commands in the script. Because the file names generated by the virus are random and the process identifier (PID) is also random, you can only write the textures to solve the problem.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.