Behavior:
1. Release the file:
C: \ WINDOWS \ SYSTEM \ Services. EXE 65536 bytes
C: \ WINDOWS \ SYSTEM \ sysanalysis. EXE 65536 bytes
C: \ WINDOWS \ SYSTEM \ assumer.exe 976896 bytes
2. Delete the backup file:
C: \ windows \ system32 \ dllcache \ assumer.exe
3. overwrite the System File: C: \ WINDOWS \ assumer.exe
When the system starts, run the virus body first, and then run C: \ WINDOWS \ SYSTEM \ assumer.exe.
4. Rename the file: assumer.exe 608924508094788 as a backup.
5. Try to spread the USB flash drive and modify the hidden file option of the system, but it is not implemented.
Solution:
1. Delete:
C: \ windows \ assumer.exe 65536 bytes
C: \ WINDOWS \ SYSTEM \ Services. EXE 65536 bytes
C: \ WINDOWS \ SYSTEM \ sysanalysis. EXE 65536 bytes
2.rename assumer.exe 608924508094788 as assumer.exe
Or copy the file from C: \ WINDOWS \ SYSTEM \ assumer.exe to c: \ windows \ assumer.exe.