Virus fingerprint:
SHA-160: DA14DDB10D14C568B62176AAB738B0C479A06863
MD5: C505733FFDDA0394D404BD5BB652C1A6
RIPEMD-160: 109ef9736ad4966094c096e57b477b7572b7ed9c
CRC-32: FF6E4568
Virus size: 43,900 bytes
Connection Network download virus:
Input address: 61.152.20.252
Address: Shanghai Telecom IDC
The following virus files are randomly generated on the local machine:
Meex.com%rmwaccq.exe%wojhadp.exe%nqgphqd.exe, autorun. inf
Download and run the following file:
1a11.exe00002b12.exe00003c13.exe00002b12.exe
Generate a random hiv file for mutual process defense
Destroys the security mode;
. Upack: 00408184 s_SystemControl db 'System \ ControlSet001 \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318} ', 0
. Upack: 00408184; data xref: sub_407CF4 + 6B o
. Upack: 004081D9 align 4
. Upack: 004081DC s_T db 0FFh, 0FFh, 0FFh, 0FFh, 't', 0
. Upack: 004081E2 align 4
. Upack: 004081E4 s_SystemContr_0 db 'System \ ControlSet001 \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318} ', 0
. Upack: 004081E4; data xref: sub_407CF4 + 7A o
. Upack: 00408239 align 4
. Upack: 0040823C s_X db 0FFh, 0FFh, 0FFh, 0FFh, 'x', 0
. Upack: 00408242 align 4
. Upack: 00408244 s_SystemCurrent db 'System \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318} ', 0
. Upack: 00408244; data xref: sub_407CF4 + 89 o
. Upack: 0040829D align 10 h
. Upack: 004082A0 s_X_0 db 0FFh, 0FFh, 0FFh, 0FFh, 'x', 0
. Upack: 004082A6 align 4
. Upack: 004082A8 s_SystemCurre_0 db 'System \ CurrentControlSet \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318} ', 0
. Upack: 004082A8; data xref: sub_407CF4 + 98 o
. Upack: 00408301 align 4
. Upack: 00408304 dd 0 FFFFFFFFh, 0Ch
Destroy the hidden file option:
. Upack: 0040830C s_Checkedvalue db 'checkedvalue', 0; data xref: sub_407CF4 + A7 o
. Upack: 00408319 align 4
. Upack: 0040831C s_Q db 0FFh, 0FFh, 0FFh, 0FFh, 'Q', 0
. Upack: 00408322 align 4
. Upack: 00408324 s_SoftwareMicro db' software \ microsoft \ windows \ currentversion \ explorer \ advanced \ folder \ hidden \ showall', 0
Enable automatic playback;
. Upack: 00408524 s_SoftwareMic_4 db' SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer ', 0
. Upack: 00408524; data xref: sub_407CF4 + 201 o
. Upack: 00408560; char s_Nodrivetypeau []
. Upack: 00408560 s_Nodrivetypeau db 'nodrivetypeautorun ', 0; data xref: sub_407CF4 + 21A o
Disable and disable the AVP, wuauserv, wscsvc, RsRavMon, RsCCenter, and RSPPSYS services.
. Upack: 004085CC; char s_SystemCurre_5 []
. Upack: 00408600 s_SystemCurre_6 db 'System \ CurrentControlSet \ Services \ RSPPSYS ', 0
. Upack: 00408600; data xref: sub_407CF4 + 2D9 o
. Upack: 0040862A align 4
. Upack: 0040862C; char s_SystemCurre_7 []
. Upack: 0040862C s_SystemCurre_7 db 'System \ CurrentControlSet \ Services \ rsccenter', 0
. Upack: 0040862C; data xref: sub_407CF4 + 30F o
. Upack: 00408658; char s_SystemContr_1 []
. Upack: 00408658 s_SystemContr_1 db 'System \ ControlSet001 \ Services \ rsccenter', 0
. Upack: 00408658; data xref: sub_407CF4 + 345 o
. Upack: 00408680; char s_SystemContr_2 []
. Upack: 00408680 s_SystemContr_2 db 'System \ ControlSet001 \ Services \ RsRavMon ', 0
. Upack: 00408680; data xref: sub_407CF4 + 37B o
. Upack: 004086A7 align 4
. Upack: 004086A8; char s_SystemContr_5 []
. Upack: 004086A8 s_SystemContr_5 db 'System \ ControlSet001 \ Services \ wscsvc ', 0
. Upack: 004086A8; data xref: sub_407CF4 + 3B1 o
. Upack: 004086CD align 10 h
. Upack: 004086D0; char s_SystemContr_3 []
. Upack: 004086D0 s_SystemContr_3 db 'System \ ControlSet001 \ Services \ wuauserv', 0
. Upack: 004086D0; data xref: sub_407CF4 + 3E7 o
. Upack: 004086F7 align 4
. Upack: 004086F8; char s_SystemContr_4 []
. Upack: 004086F8 s_SystemContr_4 db 'System \ ControlSet002 \ Services \ avp', 0
. Upack: 004086F8; data xref: sub_407CF4 + 41D o
Image hijacking (IFEO) for multiple security tools, system programs, and anti-virus software)
Because too many samples are not listed, it is the same as the previous virus sample hijacking. For details, see the articles on friend cosine function.
Solution
UseProcexp.exe pausedVirus process, enter"System32AfterTime-based iconFind the virus file and delete it:
RenameAutorunsOpen and findImage hijackingItem onlyYour Image File Name Here without a pathDelete all other items
OpenAcdsee deletes virus files and autorun. inf scripts under each drive letter.,Do not use the right-click to open or resource manager,
[AutoRun]
Opentracing nqgphqd.exe
Shell \ open = open (& O)
Shell \ open \ commandpolicnqgphqd.exe
Shell \ open \ Default = 1
Shell \ lead E = Resource Manager (& X)
Shell \ cmde \ commandpolicnqgphqd.exe
The security mode and the hidden file registry are fixed as follows (Save the following file as the reg file and double-click it to import the Registry ):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Minimal \ {4D36E967-E325-11CE-BFC1-08002BE10318}]
@ = "DiskDrive"
[HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot \ Network \ {4D36E967-E325-11CE-BFC1-08002BE10318}]
@ = "DiskDrive"
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL]
"RegPath" = "Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
"Type" = "radio"
"CheckedValue" = dword: 00000001
The virus inserted these two Common commands in the script. Because the file names generated by the virus are random and the process identifier (PID) is also random, you can only write the textures to solve the problem.