Killing the "singing virus" that caused the board buzzer to sing

Imagine, midnight you sit in front of the computer to surf the Internet, suddenly the motherboard starts singing--"Back to the Future", you will be startled? Then you will be crazy, the main board of the buzzer (buzzer issued "drip, drip, drip" sound, mainly used to alarm or hint), unusually nasty, as if it is "Death aria". This is the "singing virus" sequelae, in the virus, you will always be the motherboard "song" Tortured.

The "Singing virus" uses the motherboard's buzzer to play "Back to the Future". This is what the song, is completely noise, I hate the virus author, too no music appreciation level. Fortunately, I am a computer "veteran", know a lot of safety knowledge, cleared the virus.

Virus analysis: How the virus makes the motherboard sing

What does the virus use "witchcraft" to make the motherboard sing? It uses the vibration frequency, the pitch is proportional to the vibration frequency, that is, the faster the object vibration speed, the higher the pitch, if the vibration frequency changes linked together, the motherboard buzzer will be issued a song. When you play a song, you may also pop up the prompt window (Figure 1).

In addition, the virus mainly relies on flash transmission, after poisoning, will disable Task Manager, registry, folder options are hidden, "My Computer" menu content has been tampered with, such as EXE, COM Program Association has been forcibly erased.

Virus principle: The singing virus after entering the system, will copy 2009.exe and 4.exe to the system's Windows directory. Another virus file,. exe, which does not have a file name, is randomly released to any directory in the system. The virus then automatically loads the three files into memory, and the three processes can protect each other, especially if the. exe process is not visible in the process manager.

The virus deletes the system file Userinit.exe and modifies the Userinit boot entry associated with it to 4.exe, and then modifies the contents of the other system startup Shell to 2009.exe. Then add 4 and 20,092 boot entries to the registry, and use these four startup entries to ensure that the virus files are randomly started. This allows the virus to run even if the user deletes the startup entry that was added to the virus, and if it is not noticed that the startup item is tampered with.

The virus then releases the Lotto.exe and Autorun.inf two files on each disk's root directory (Figure 2). This allows users to automatically run virus files when they double-click to open the disk, thereby increasing the spread of the virus.