Panda Incense virus Principles, removal/deletion methods and solutions (with the latest kill tools download) [Original]_ virus killing

Source: Internet
Author: User
Tags sha1 win32 microsoft frontpage
Panda Burning Incense Virus Special Kill V1.6 Official edition:
The tool implements detection and removal, repair of infected panda incense virus files, unknown varieties of panda incense to detect and deal with the ability to deal with all the current family of panda incense virus and related variants. Download the address below
Download this file
testing easy to use, the above software has two dedicated kill tools, can be used alternately, the effect is better.
After the files containing the virus are run, the virus copies itself to the system directory, modifies the registry to set itself to the power-on boot, and traverses each drive, writes itself to the disk root directory, and adds a Autorun.inf file, allowing the user to activate the virus body when opening the disk. The virus then opens a thread for local file infections, while another thread connects a Web site to download a DDoS program to launch a malicious attack.
Super Patrol Panda Burning incense Tools is the only one can kill all panda varieties of virus tools, to achieve detection and removal, repair infected with panda incense virus files, Panda incense unknown varieties have detection and processing capacity, can deal with all the current panda family and related varieties of incense.
Killer (Killer<2>uid0.net)
Date:2006-11-20


First, virus description:

After the files containing the virus are run, the virus copies itself to the system directory, modifies the registry to set itself to the power-on boot, and traverses each drive, writes itself to the disk root directory, and adds a Autorun.inf file, allowing the user to activate the virus body when opening the disk. The virus then opens a thread for local file infections, while another thread connects a Web site to download a DDoS program to launch a malicious attack.

Second, the basic situation of the virus:

[File Information]

Virus Name: virus.win32.evilpanda.a.ex$
Size: 0xda00 (55808), (disk) 0xda00 (55808)
sha1:f0c3da82e1620701ad2f0c8b531eebea0e8af69d
Shell information: Unknown
Hazard Level: High

Virus Name: flooder.win32.floodbots.a.ex$
Size: 0xe800 (59392), (disk) 0xe800 (59392)
sha1:b71a7ef22a36dbe27e3830888dafc3b2a7d5da0d
Shell information: UPX 0.89.6-1.02/1.05-1.24
Hazard Level: High

Third, the virus behavior:

virus.win32.evilpanda.a.ex$:

1, after the virus is executed, copies itself to the system directory:

%systemroot%\system32\fuckjacks.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Userinit "C:\WIN2K\system32\SVCH0ST.exe"
2. Add registry Startup items to ensure that they are loaded after the system reboot:

Key path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Key Name: Fuckjacks
Key value: "C:\WINDOWS\system32\FuckJacks.exe"

Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Key Name: Svohost
Key value: "C:\WINDOWS\system32\FuckJacks.exe"

3, copy itself to all drive root directory, named Setup.exe, and generate a autorun.inf allows the user to open the disk to run the virus, and the two file properties are set to hidden, read-only, system.

C:\autorun.inf 1KB RHS
C:\setup.exe 230KB RHS

4, close a large number of anti-virus software and security tools.
5, the connection *****.3322.org download a file, and according to the file records address, go to www.****.com download a DDoS program, download successful implementation of the program.
6, refresh bbs.qq.com, a link to a QQ show.
7, looping through the disk directory, infected files, the key system files skipped, do not infect Windows Media Player, MSN, IE and other programs.

flooder.win32.floodbots.a.ex$:

1, after the virus is executed, copies itself to the system directory:

%systemroot%\svch0st. Exe
%systemroot%\system32\svch0st. Exe

2. After the virus is downloaded and run, add the registry startup item to ensure that it is loaded after the system reboot:

Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Key Name: Userinit
Key value: "C:\WINDOWS\system32\SVCH0ST.exe"

3, the connection ddos2.****.com, obtains the attack address list and the attack configuration, and according to the configuration file, carries on the corresponding attack.

The configuration file is as follows:
www.victim.net:3389
Www.victim.net:80
Www.victim.com:80
Www.victim.net:80
1
1
120
50000
"Panda Incense" FuckJacks.exe variant of the same as the previous variant of the use of white Panda incense icon, virus after running the copy itself to the system directory:
%system%\drivers\spoclsv.exe

To create a startup item:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Svcshare" = "%system%\drivers\spoclsv.exe"


Modify registry information to interfere with the "Show All Files and folders" setting:

[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
"CheckedValue" =dword:00000000


To generate replicas in the root directory of each partition:
X:\setup.exe
X:\autorun.inf

Autorun.inf content:
[AutoRun]
Open=setup.exe
Shellexecute=setup.exe
Shell\auto\command=setup.exe


Try to close the following window:
Qqkav
Qqav
VirusScan
Symantec AntiVirus
Duba
Windows
Esteem Procs
System Safety Monitor
Wrapped Gift Killer
Winsock Expert
Msctls_statusbar32
PJF (USTC)
IceSword

To end some of the enemy's processes:
Mcshield.exe
VsTskMgr.exe
NaPrdMgr.exe
UpdaterUI.exe
TBMon.exe
Scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
Kvxp.kxp
Kvmonxp.kxp
Kvcenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
Trojdie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe

To disable a range of services:
Schedule
SharedAccess
Rsccenter
Rsravmon
Rsccenter
Rsravmon
Kvwsc
Kvsrvxp
Kavsvc
Avp
Mcafeeframework
McShield
Mctaskmanager
Navapsvc
Wscsvc
Kpfwsvc
Sndsrvc
Ccproxy
Ccevtmgr
Ccsetmgr
Spbbcsvc
Symantec Core LC
Npfmntor
Mskservice
Firesvc

To delete several security software startup item information:
Ravtask
Kvmonxp
Kav
KAVPersonal50
Mcafeeupdaterui
Network Associates Error Reporting Service
Shstatexe
YLive.exe
Yassistse

To remove an administrative share using the net SHARE command:
NET share x$/del/y
NET share admin$/del/y
NET share ipc$/del/y


Traverse directory to infect exe, COM, SCR, PIF files in other directories other than the following system directory:
X:\WINDOWS
X:\Winnt
X:\System Volume Information
X:\Recycled
%ProgramFiles%\Windows NT
%programfiles%\windowsupdate
%ProgramFiles%\Windows Media Player
%programfiles%\outlook Express
%ProgramFiles%\Internet Explorer
%programfiles%\netmeeting
%ProgramFiles%\Common Files
%programfiles%\complus applications
%programfiles%\messenger
%programfiles%\installshield Installation Information
%programfiles%\msn
%ProgramFiles%\Microsoft Frontpage
%programfiles%\movie Maker
%programfiles%\msn gamin Zone

Bind itself to the front end of the infected file and add tag information at the tail:
. whboy{the original filename}.exe. {Original file size}.


Unlike previous variants, this virus is 22886 bytes, but bundled in the file in front of only 22838 bytes, the infected file will run error, and will not like the previous variant to release {original filename}.exe original normal file.

Also found that the virus will overwrite a small number of EXE, delete. gho files.

The virus also attempts to access other computers in the local area network using a weak password:
Password
Harley
Golf
Pussy
Mustang
Shadow
Fish
Qwerty
Baseball
Letmein
Ccc
Admin
Abc
Pass
passwd
Database
Abcd
abc123
Sybase
123qwe
Server
Computer
Super
123asd
Ihavenopass
Godblessyou
Enable
Alpha
1234qwer
123abc
Aaa
Patrick
Pat
Administrator
Root
Sex
God
Foobar
Secret
Test
Test123
Temp
Temp123
Win
Asdf
Pwd
Qwer
Yxcv
Zxcv
Home
Xxx
Owner
Login
Login
Love
MyPC
Mypc123
Admin123
Mypass
Mypass123
Administrator
Guest
Admin
Root
Cleanup steps
==========

1. Disconnect the network

2. End the virus process
%system%\drivers\spoclsv.exe

3. Delete virus files:
%system%\drivers\spoclsv.exe

4. Right click on the partition letter, click on the right menu "open" into the partition root directory, delete the root directory files:
X:\setup.exe
X:\autorun.inf

5. Remove the startup entry created by the virus:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Svcshare" = "%system%\drivers\spoclsv.exe"

6. Modify registry settings and restore the "Show All Files and folders" option:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
"CheckedValue" =dword:00000001
7. Repair or reinstall anti-virus software
8. Use anti-virus software or kill tool to conduct a comprehensive scan, to remove the recovery of infected EXE files
Iv. Solutions:

1, the use of Super Patrol can completely remove the virus and recover infected files.
2, recommended in the clearance of the first use of Super Patrol process management tool to end the virus program, otherwise the system response is very slow.
3, stop the virus process and delete startup items please see the relevant pictures of the forum.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.