New QQ tail virus Analysis report and its manual removal method

The new QQ tail, the temptation to confuse netizens, click on the link in the message, download the operation will be in the recruit, after poisoning will continue to send similar messages to friends. The following are detailed analysis reports and manual removal methods:

Virus Name: worm.qqtaileks.ds.36864

Transmission mode: Send messages through QQ, and spread through automatic playback and malicious Web pages.

Virus behavior:

1. After virus run resident memory, copy multiple copies to system directory:

%Windows%\cacom.exe（%windows%一般是c:\windows目录）
%System%\Akica.exe（%system%一般是指c:\windows\system32目录

In the Windows 2000 system, the virus generates a program named Sycacom.exe.

2. Cover System Game "Solitaire" program:

%System%\sol.exe
%System%\drivers\sol.exe（这里正常没有这个sol.exe）

3. Replicate itself to the partition root beyond the system partition:

X:\EKS.exe (x is the letter)

4. Generate "AutoPlay" file:

X:\Autorun.inf:

Content is:

[autorun]
open=EKS.exe
shellexecute=EKS.exe
shell\Auto\command=EKS.exe
shell=Auto

5. Modify the registry to create a startup entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akica"="%System%\Akica.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"cacom"="%Windows%\cacom.exe"

6. Send the following message with virus address to QQ friend:

看看我的网友，杭州的，皮肤白皙，身材超正，我想让她成为恋人，征求您的建
议， 她的视频　 hxxp://2.emeishan-jiudianyuding.cn/<blocked>/v.asp?q=2
还记得小文吗，她现在成了二奶，打扮得火辣性感，开着宝马，是被一个香港人包的；真不敢相信，看
看她博客上的视频您就知道了　hxxp://2.emeishan-jiudianyuding.cn/<blocked>/v.asp?q=1
Hi,快点帮个忙， 打开这个网址，然后随便点击下面的一个链接， hxxp://2.emeishan-
jiudianyuding.cn/<blocked>/v.asp?q=URL-movies.htm　 一会在对你说为什么,万分感谢。
我刚发现的 ，超刺激的**电影，速度巨快， 一个月免费，　hxxp://2.emeishan-
jiudianyuding.cn/<blocked>/v.asp?q=URL-free-movies.htm

After sending a message, try to close the Chat dialog box and the virus will also visit some ad pages.

Manual Cleanup Method:

1. End the virus process

Press Ctrl+alt+del to start Task Manager and end the Vm1.exe process (if restarted, the virus process becomes akica.exe or cacom.exe).

2. Start, run, enter regedit, start Registry Editor, remove the following virus startup items:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akica"="%System%\Akica.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"cacom"="%Windows%\cacom.exe"

3. Use anti-virus software or delete virus files manually.

Recommend immediately upgrade antivirus software after killing, if you do not have the latest version of antivirus software, you can manually delete the following files.

%Windows%\cacom.exe，（%windows%通常指c:\windows目录）
%System%\Akica.exe，（%system%通常指c:\windows\system32目录）
%System%\sol.exe
%System%\drivers\sol.exe

4. Restore the "Solitaire" game

The virus replaces the "Solitaire" game, which is available from the normal system copy of this game program to the%system% directory.

5. Delete other partition's virus file

Using the Explorer instead of double-clicking to access the disk, double-clicking starts AutoPlay, and the virus programs that are still in the other partitions run automatically, so that the previous work is in vain. The tree folder state enters each partition root directory, deletes EKS.exe and Autorun.inf.

6. Disable AutoPlay to prevent this type of virus

The virus is still propagated by AutoPlay, and it is strongly recommended that you disable the AutoPlay feature for all drives by using the Group Policy Editor. Operation steps are: click start → run → input gpedit.msc, open Group Policy Editor, browse to Computer configuration → admin template → system, in the right pane, double-click "Turn off AutoPlay", select all the drives in the dialog box, OK.