Kissme virus principle description and python clearing script

 

Many people should have had such a virus. It was poisoned by a USB flash drive, and the computer folders after the virus were changed to the exe format, the real folders are hidden (if the file suffix is hidden, it cannot be seen that the folder is false ).

 

This virus is actually a type of virus. There are many modified versions, and the kissme virus (legend Angel virus) is a typical example.

 

@ 1. kissme virus description:

 

When the virus is running, there are kissme.exeand kiss.exe in the process, and the two processes cannot be killed (the two processes are mutually protected, killing one separately will not have sufficient permissions)

 

Symptoms: copy the file itself and pretend to be a folder. The hidden file (the trick of the nickname is that kiss.exe sometimes occupies 100% of the CPU. It crashes when it is shut down or restarted; there are no service items and startup items; 360 and the Task Manager cannot end the process and cannot open the directory, the system prompts that the device connected to the system has no effect.

 

@ 2. What does the virus do:

 

The virus was originally designed to steal legendary accounts. However, because the virus is an old virus, it can only be used to mess up user folders. Basically, there is no environment for hacking.

 

A virus must be started first, but it does not add Startup items or service items to the Startup directory. It uses a better method:

 

In HKEY_LOCAL_MACHINE \ Software \ Classes \ Exefile \ Shell \ Open \ Command, add the key value "default" = "%windir%winker.exe" to start with the system.

 

In short, the registry should be changed.

 

When you insert a toxic USB flash drive into your computer and open the folder, If you accidentally open the folder (the virus has been replaced with the exe ), the virus is started, and then it adds a method to itself as it starts up. Then, there will be two virus processes on your computer: kiss.exeand kissme.exe. As long as the two processes exist, as long as you open a folder, it will hide the folder behind it and disguise one copy of it as the folder.

 

At the same time, in order to make it difficult to detect itself, the "Show Hidden Files" and "show known file extensions" options in "Folder Options" are forcibly disabled (if hidden files or known file extensions are displayed ), users can easily find problems with their files and hide them, which is conducive to virus concealment.

 

@ 3. Purge program:

 

After the virus exists in the system for a period of time, it will be found that virus files are everywhere in the computer. The exe files that look like folders are obviously unrealistic if they are manually cleared.

 

However, these files all have a feature, with the suffix ". exe "and the size is 1100083 bytes. Let's write a simple program to traverse all the folders and delete the files according to these two features. (The probability that other files meet these two conditions is very small)

 

 

 

Import OS

 

VirSize = 1100083

 

WalkObj = OS. walk (OS. getcwd (), False)

 

For root, dirs, files in walkObj:

For name in files:

If name [-4:] = '.exe ':

Fullpath = OS. path. join (root, name)

Size = OS. path. getsize (fullpath)

If size = virSize:

OS. remove (fullpath)

Print fullpath

 

Run this python script once in the root directory of each disk to delete all virus files. However, the computer that has been infected is often running kiss.exeand kissme.exe, And the deleted files will be quickly restored by the virus. .

Because the virus has modified the registry and the user's real files cannot be displayed, you need to fix the registry:

 

 

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ NOHIDDEN]

"RegPath" = "Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"

& Quot; Text & quot; = & quot; @ shell32.dll,-30501 & quot"

"Type" = "radio"

"CheckedValue" = dword: 00000002

"ValueName" = "Hidden"

"DefaultValue" = dword: 00000002

"HKeyRoot" = dword: 80000001

"HelpID" = "shell. hlp #51104"

 

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL]

"RegPath" = "Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"

& Quot; Text & quot; = & quot; @ shell32.dll,-30500 & quot"

"Type" = "radio"

"CheckedValue" = dword: 00000001

"ValueName" = "Hidden"

"DefaultValue" = dword: 00000002

"HKeyRoot" = dword: 80000001

"HelpID" = "shell. hlp #51105"

 

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden]

"Type" = "checkbox"

& Quot; Text & quot; = & quot; @ shell32.dll,-30508 & quot"

"WarningIfNotDefault" = "@ shell32.dll,-28964"

"HKeyRoot" = dword: 80000001

"RegPath" = "Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"

"ValueName" = "ShowSuperHidden"

"CheckedValue" = dword: 00000000

"UncheckedValue" = dword: 00000001

"DefaultValue" = dword: 00000000

"HelpID" = "shell. hlp #51103"

 

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden \ Policy]

 

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden \ Policy \ DontShowSuperHidden]

@ = ""

Save the code as a. reg file. Import the file to the Registry to fix the hidden file. After the restart, remove the hidden properties of all folders hidden by viruses.

 

From Cashey1991