Recently, Jiangmin technology issued an emergency virus warning, a disguised as "panda incense" pattern of the virus is crazy crime, has dozens of of corporate LAN has been hit. Companies from different parts of the country reported to the Jiangmin Antivirus center that their company was being attacked by an unidentified virus, and that all of the executable. exe files in the computer became a bizarre pattern that showed "panda burning incense."
Poisoning symptoms of the system blue screen, frequent restart, hard disk data is destroyed, and so on, the entire company's local area network of all the computer poisoning, the company's business almost into a standstill. Guangdong, Shanghai and other regions have also appeared similar to virus outbreaks, jiangmin Customer Technical Services Department of the telephone rang non-stop. Indications are that the "Panda incense" virus has a concentrated outbreak possible.
Use Panda to burn incense virus to restore normal after killing
Jiangmin, an anti-virus engineer, analyzed the virus as a new variant of the "Sunway" worm, which has infected more than 300,000 computers since it was intercepted last year, with new variants appearing almost every day. The virus can be spread over the local area network, which can cause LAN paralysis when the virus attacks seriously. It is worth noting that the majority of infected with the virus is not installed in the network version of antivirus software, small business users.
Small enterprise LAN becomes hardest hit
Ms. Gao, an enterprise in the Suzhou Economic Park, said their company is a metal products of small and medium-sized companies, this two days the company's network server suddenly frequent restart phenomenon, after inspection found that the computer appeared in five unknown files, all executable copy is changed into a strange panda incense pattern, due to server failure, Cause the entire LAN completely paralyzed. A similar phenomenon has occurred in a Beijing engineering company, worse is that their company is the financial department of the virus attack, the entire financial department 8 computers frequently appear blue screen, crash phenomenon, the computer also appeared in the "Panda incense" pattern, the company's external financial settlement completely paused, the general manager for this was furious.
Data show that China currently has more than 10 million small enterprises, and in recent years the prevalence of Soho-type home entrepreneurial small companies are countless, these enterprises in the early days, often in the network security, there is no fortification, most companies rely on a single version of anti-virus software to prevent viruses, As a stand-alone version of anti-virus software can not sunway this type of virus spread through the LAN to carry out a unified kill, resulting in the local area network virus repeatedly killed, the virus in the computer through the network to and fro, many small enterprises LAN even long-term "raise" more than one network virus.
Jiangmin Anti-Virus engineers, in their request for help enterprises, most enterprises because of the virus caused by the business can not normally carry out, less than one or two hours, more than one or two days can not work, the direct and indirect loss is far more than the purchase of a network version of antivirus software price.
Single version and Virus killing can't kill LAN virus
According to the survey, more than 70% of small and medium-sized enterprises are not willing to choose the Internet version of anti-virus software, but more likely to stand-alone version of anti-virus software, and the price is undoubtedly blocking small business applications network version of the biggest obstacle. Network version of anti-virus software due to long-term application in the high-end enterprise market, in the eyes of ordinary users belong to a "luxury" products to have 25 of computers in small enterprises LAN computing, the domestic mainstream of the same configuration of the network version of anti-virus software price between 10000 to 17000 yuan, in the face of high prices, The Soho people who want to start a frugal business need to be determined to buy! And more small business owners in the virus attack, passively buy a stand-alone version of anti-virus software emergency.
Although stand-alone antivirus software even free kill tools can kill the virus, but in the interconnection of the local area, these anti-virus software and kill tools are often lost, is usually the machine virus killed, but also infected to another machine, back and forth, so that network administrators tired of coping. If only a few computers may also use the way to disconnect the network of anti-virus, and if it is dozens of hundreds of computers, for the network administrator is undoubtedly a nightmare.
Introduction of Jiangmin Anti-Virus expert, as a stand-alone version does not have the network version of antivirus software unified anti-virus, unified monitoring, unified settings, unified upgrade, remote control, and other functions, so in dealing with the local area network virus on the existence of congenital defects, to deal with the network spread through the LAN virus, can only use the network version of anti-virus software for the
Panda Burning Incense Virus Special kill solution
First Patch: Download firefox,12 month new Firefox browser with Google Internet Tools has integrated the patch of Panda incense virus, if you are a computer expert should understand, for IE7 vulnerabilities, the latest Firefox has patched these patches. Without this patch, kill the virus will also have to install and run once after downloading, automatically install this virus patch. The official website clicks to the right of entry point to the immediate free download button download.
Step two: Download Super Patrol Panda burning incense virus special kill tools.
Download the latest Kill tools: Rising the latest panda burning incense kill tools
Click to download
Jiangmin latest Panda burning incense Kill tool
Click to download
Golden Hill new panda burning incense kill tools
Click to download
Panda Incense Virus November rapid spread, so far has been more than 10 variants. It can be seen that the scope of damage is wide!
After the files containing the virus are run, the virus copies itself to the system directory, modifies the registry to set itself to the power-on boot, and traverses each drive, writes itself to the disk root directory, and adds a Autorun.inf file, allowing the user to activate the virus body when opening the disk. The virus then opens a thread for local file infections, while another thread connects a Web site to download a DDoS program to launch a malicious attack.
Super Patrol Panda Burning incense Tools is the only one can kill all panda varieties of virus tools, to achieve detection and removal, repair infected with panda incense virus files, Panda incense unknown varieties have detection and processing capacity, can deal with all the current panda family and related varieties of incense.
Killer (Killeruid0.net)
Date:2006-11-20
First, virus description:
After the files containing the virus are run, the virus copies itself to the system directory, modifies the registry to set itself to the power-on boot, and traverses each drive, writes itself to the disk root directory, and adds a Autorun.inf file, allowing the user to activate the virus body when opening the disk. The virus then opens a thread for local file infections, while another thread connects a Web site to download a DDoS program to launch a malicious attack.
1, after the virus is executed, copies itself to the system directory:
%systemroot%\system32\fuckjacks.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Userinit "C:\WIN2K\system32\SVCH0ST.exe"
2. Add registry Startup items to ensure that they are loaded after the system reboot:
3, copy itself to all drive root directory, named Setup.exe, and generate a autorun.inf allows the user to open the disk to run the virus, and the two file properties are set to hidden, read-only, system.
C:\autorun.inf 1KB RHS
C:\setup.exe 230KB RHS
4, close a large number of anti-virus software and security tools.
5, the connection *****.3322.org download a file, and according to the file records address, go to www.****.com download a DDoS program, download successful implementation of the program.
6, refresh bbs.qq.com, a link to a QQ show.
7, looping through the disk directory, infected files, the key system files skipped, do not infect Windows Media Player, MSN, IE and other programs.
flooder.win32.floodbots.a.ex$:
1, after the virus is executed, copies itself to the system directory:
3, the connection ddos2.****.com, obtains the attack address list and the attack configuration, and according to the configuration file, carries on the corresponding attack.
The configuration file is as follows:
www.victim.net:3389
Www.victim.net:80
Www.victim.com:80
Www.victim.net:80
1
1
120
50000
"Panda Incense" FuckJacks.exe variant of the same as the previous variant of the use of white Panda incense icon, virus after running the copy itself to the system directory:
%system%\drivers\spoclsv.exe
To create a startup item:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Svcshare" = "%system%\drivers\spoclsv.exe"
Modify registry information to interfere with the "Show All Files and folders" setting:
Try to close the following window:
Qqkav
Qqav
VirusScan
Symantec AntiVirus
Duba
Windows
Esteem Procs
System Safety Monitor
Wrapped Gift Killer
Winsock Expert
Msctls_statusbar32
PJF (USTC)
IceSword
To end some of the enemy's processes:
Mcshield.exe
VsTskMgr.exe
NaPrdMgr.exe
UpdaterUI.exe
TBMon.exe
Scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
Kvxp.kxp
Kvmonxp.kxp
Kvcenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
Trojdie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe
To disable a range of services:
Schedule
SharedAccess
Rsccenter
Rsravmon
Rsccenter
Rsravmon
Kvwsc
Kvsrvxp
Kavsvc
Avp
Mcafeeframework
McShield
Mctaskmanager
Navapsvc
Wscsvc
Kpfwsvc
Sndsrvc
Ccproxy
Ccevtmgr
Ccsetmgr
Spbbcsvc
Symantec Core LC
Npfmntor
Mskservice
Firesvc
To delete several security software startup item information:
Ravtask
Kvmonxp
Kav
KAVPersonal50
Mcafeeupdaterui
Network Associates Error Reporting Service
Shstatexe
YLive.exe
Yassistse
To remove an administrative share using the net SHARE command:
NET share x$/del/y
NET share admin$/del/y
NET share ipc$/del/y
Traverse directory to infect exe, COM, SCR, PIF files in other directories other than the following system directory:
X:\WINDOWS
X:\Winnt
X:\System Volume Information
X:\Recycled
%ProgramFiles%\Windows NT
%programfiles%\windowsupdate
%ProgramFiles%\Windows Media Player
%programfiles%\outlook Express
%ProgramFiles%\Internet Explorer
%programfiles%\netmeeting
%ProgramFiles%\Common Files
%programfiles%\complus applications
%programfiles%\messenger
%programfiles%\installshield Installation Information
%programfiles%\msn
%ProgramFiles%\Microsoft Frontpage
%programfiles%\movie Maker
%programfiles%\msn gamin Zone
Bind itself to the front end of the infected file and add tag information at the tail:
. whboy{the original filename}.exe. {Original file size}.
Unlike previous variants, this virus is 22886 bytes, but bundled in the file in front of only 22838 bytes, the infected file will run error, and will not like the previous variant to release {original filename}.exe original normal file.
Also found that the virus will overwrite a small number of EXE, delete. gho files.
The virus also attempts to access other computers in the local area network using a weak password:
Password
Harley
Golf
Pussy
Mustang
Shadow
Fish
Qwerty
Baseball
Letmein
Ccc
Admin
Abc
Pass
passwd
Database
Abcd
abc123
Sybase
123qwe
Server
Computer
Super
123asd
Ihavenopass
Godblessyou
Enable
Alpha
1234qwer
123abc
Aaa
Patrick
Pat
Administrator
Root
Sex
God
Foobar
Secret
Test
Test123
Temp
Temp123
Win
Asdf
Pwd
Qwer
Yxcv
Zxcv
Home
Xxx
Owner
Login
Login
Love
MyPC
Mypc123
Admin123
Mypass
Mypass123
Administrator
Guest
Admin
Root
Cleanup steps
==========
1. Disconnect the network
2. End the virus process
%system%\drivers\spoclsv.exe
4. Right click on the partition letter, click on the right menu "open" into the partition root directory, delete the root directory files:
X:\setup.exe
X:\autorun.inf
6. Modify registry settings and restore the "Show All Files and folders" option:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\
Advanced\folder\hidden\showall]
"CheckedValue" =dword:00000001
7. Repair or reinstall anti-virus software
8. Use anti-virus software or kill tool to conduct a comprehensive scan, to remove the recovery of infected EXE files
Iv. Solutions:
1, the use of Super Patrol can completely remove the virus and recover infected files.
2, recommended in the clearance of the first use of Super Patrol process management tool to end the virus program, otherwise the system response is very slow.
3. Abort the virus process and delete the startup item
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.