Panda Incense Icon Virus detailed

Recently appeared new virus name Panda incense, the harm is larger, after infection all EXE executable file icon becomes a burning incense panda, everyone computer if this phenomenon can be seriously read the following article:

First, virus description:

After the files containing the virus are run, the virus copies itself to the system directory, modifies the registry to set itself to the power-on boot, and traverses each drive, writes itself to the disk root directory, and adds a Autorun.inf file, allowing the user to activate the virus body when opening the disk. The virus then opens a thread for local file infections, while another thread connects a Web site to download a DDoS program to launch a malicious attack.

Second, the basic situation of the virus:

[File Information]

Virus Name: virus.win32.evilpanda.a.ex$

Size: 0xda00 (55808), (disk) 0xda00 (55808)

sha1:f0c3da82e1620701ad2f0c8b531eebea0e8af69d

Shell information: Unknown

Hazard Level: High

Virus Name: flooder.win32.floodbots.a.ex$

Size: 0xe800 (59392), (disk) 0xe800 (59392)

sha1:b71a7ef22a36dbe27e3830888dafc3b2a7d5da0d

Shell information: UPX 0.89.6-1.02/1.05-1.24

Hazard Level: High

Third, the virus behavior:

virus.win32.evilpanda.a.ex$:

1, after the virus is executed, copies itself to the system directory:

%systemroot%system32fuckjacks.exe

Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun Userinit "C:win2ksystem32svch0st.exe"

2. Add registry Startup items to ensure that they are loaded after the system reboot:

Key path: Hkey_current_usersoftwaremicrosoftwindowscurrentversionrun

Key Name: Fuckjacks

Key value: "C:windowssystem32fuckjacks.exe"

Key path: Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun

Key Name: Svohost

Key value: "C:windowssystem32fuckjacks.exe"

3, copy itself to all drive root directory, named Setup.exe, and generate a autorun.inf allows the user to open the disk to run the virus, and the two file properties are set to hidden, read-only, system. C:autorun.inf 1KB RHS

C:setup.exe 230KB RHS

4, close a large number of anti-virus software and security tools.

5, the connection *****.3322.org download a file, and according to the file record address, download a DDoS program, download successful implementation of the program.

6, refresh bbs.qq.com, a link to a QQ show.

7, looping through the disk directory, infected files, the key system files skipped, do not infect Windows Media Player, MSN, IE and other programs.

flooder.win32.floodbots.a.ex$:

1, after the virus is executed, copies itself to the system directory:

%systemroot%svch0st. Exe

%systemroot%system32svch0st.exe

2. After the virus is downloaded and run, add the registry startup item to ensure that it is loaded after the system reboot:

Key path: Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun

Key Name: Userinit

Key value: "C:windowssystem32svch0st.exe"

3. Try closing the window

Qqkav

Qqav

Skynet Firewall process

VirusScan

NET Dart Antivirus

Poison PA

Rising

Jiangmin

Huangshan IE

Super Bunny

Master of Optimization

Mumak Star

Trojan Sweeper

Wooden Horse Scavenger

QQ Virus Registry Editor

System Configuration Utility

Kaspersky Anti-virus

Symantec AntiVirus

Duba

Windows Task Manager

Esteem Procs

Green Eagle PC

Password anti-theft

Phage

Trojan Helper Finder

System Safety Monitor

Wrapped Gift Killer

Winsock Expert

Game Trojan Detection Master

Little Shen Q Theft killer

PJF (USTC)

IceSword

4. Try to close the process

Mcshield.exe

VsTskMgr.exe

NaPrdMgr.exe

UpdaterUI.exe

TBMon.exe

Scan32.exe

Ravmond.exe

CCenter.exe

RavTask.exe

Rav.exe

Ravmon.exe

RavmonD.exe

RavStub.exe

Kvxp.kxp

Kvmonxp.kxp

Kvcenter.kxp

KVSrvXP.exe

KRegEx.exe

UIHost.exe

Trojdie.kxp

FrogAgent.exe

Logo1_.exe

Logo_1.exe

Rundl132.exe

Delete the following startup items

Softwaremicrosoftwindowscurrentversionrunravtask

Softwaremicrosoftwindowscurrentversionrunkvmonxp

Softwaremicrosoftwindowscurrentversionrunkav

SOFTWAREMicrosoftWindowsCurrentVersionRunKAVPersonal50

Softwaremicrosoftwindowscurrentversionrunmcafeeupdaterui

Softwaremicrosoftwindowscurrentversionrunnetwork Associates Error Reporting

Servicesoftwaremicrosoftwindowscurrentversionrunshstatexe

SOFTWAREMicrosoftWindowsCurrentVersionRunYLive.exe

Softwaremicrosoftwindowscurrentversionrunyassistse

Disable the following services

Kavsvc

Avp

Avpkavsvc

Mcafeeframework

McShield

Mctaskmanager

Mcafeeframework McShield

Mctaskmanager

Navapsvc

Kvwsc

Kvsrvxp

Kvwsc

Kvsrvxp

Schedule

SharedAccess

Rsccenter

Rsravmon

Rsccenter

Rsravmon

Wscsvc

Kpfwsvc

Sndsrvc

Ccproxy

Ccevtmgr

Ccsetmgr

Spbbcsvc

Symantec

Core LC

Npfmntor

Mskservice

Firesvc

Search for all infections except the following directory. exe/. scr/. pif/. COM file and remember to mark

Windows

Winnt

System Volume Information

Recycled

Windows NT

Windows Update

Windows Media Player

Outlook Express

Internet Explorer

NetMeeting

Common Files

ComPlus

Applications

Messenger

InstallShield Installation Information

Msn

Microsoft Frontpage

Movie Maker

MSN gamin Zone

Delete. Gho file

Add the following startup location

Documents and Settingsall Usersstart Menuprogramsstartup

Documents and Settingsall users"Start menu program start

Windowsstart Menuprogramsstartup

Winntprofilesall Usersstart Menuprogramsstartup

Monitor records QQ and access LAN file records: C:test.txt, trying QQ message transmission

Attempted to access an infected LAN file (GameSetup.exe) with the following password

1234

Password

......

Admin

Root

All root and mobile storage generation

X:setup.exe

X:autorun.inf

[AutoRun]

Open=setup.exe

Shellexecute=setup.exe

Shellautocommand=setup.exe

Remove Hidden shares

CMD.EXE/C net share $/del/y

cmd.exe/c net share admin$/del/y

cmd.exe/c net share ipc$/del/y

To create a startup item:

Softwaremicrosoftwindowscurrentversionrun

Svcshare= Point to%system32%driversspoclsv.exe

Disable folder hiding options

softwaremicrosoftwindowscurrentversionexploreradvanced

Folderhiddenshowallcheckedvalue