AV Name:
Kingsoft drug overlord (win32.troj. Unknown. a.412826)
AVG (generic9.aqhk)
Dr. an V3 (win-Trojan/hupigon. Gen)
Shelling method: Not
Programming Language: Delphi
File MD5: a79d8dddadc172915a3603700f00df8c
Virus Type: Remote Control
Behavior Analysis:
1. Release virus files:
C: \ windows \ kvmon. dll 361984 bytes
C: \ windows \ kvmon.exe 412829 bytes
2. Modify the registry and start the system at startup:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
(Registry value) userinit
REG_SZ, "C: \ windows \ system32 \ userinit.exe ,"
Change to REG_SZ, "C: \ windows \ system32 \ userinit.exe, c: \ windows \ kvmon.exe-ini
3. Start the IE process and inject kvmon. DLL into it.
4. Add a registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ setup
(Registry value) beizhu = REG_SZ, "online"
(Registry value) info = REG_SZ, "http: // www.5311 × 0. COM/VIP/6880579/ip.txt> 46821973> online> remote host> 25> 0> 1080> guest> 123456>"
5. Read the above registry key, rebound the connection to the outside, and accept hacker control.
6. Use cmd.exe to delete the old file.
Solution:
1. Open the task manager and disconnect the network connection.
2. Start -run -regedit.exe and open the Registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
(Registry value) userinit
Click Modify to: c: \ windows \ system32 \ userinit.exe,
Note that the comma cannot be omitted. If it is a 2000/NT System, it is: C: \ winnt \ system32 \ userinit.exe,
3. delete an object:
C: \ windows \ kvmon. dll 361984 bytes
C: \ windows \ kvmon.exe 412829 bytes