Recently appeared new virus name Panda incense, the harm is larger, after infection all EXE executable file icon becomes a burning incense panda, everyone computer if this phenomenon can be seriously read the following article:
First, virus description:
After the files containing the virus are run, the virus copies itself to the system directory, modifies the registry to set itself to the power-on boot, and traverses each drive, writes itself to the disk root directory, and adds a Autorun.inf file, allowing the user to activate the virus body when opening the disk. The virus then opens a thread for local file infections, while another thread connects a Web site to download a DDoS program to launch a malicious attack.
Second, the basic situation of the virus:
[File Information]
Virus Name: virus.win32.evilpanda.a.ex$
Size: 0xda00 (55808), (disk) 0xda00 (55808)
sha1:f0c3da82e1620701ad2f0c8b531eebea0e8af69d
Shell information: Unknown
Hazard Level: High
Virus Name: flooder.win32.floodbots.a.ex$
Size: 0xe800 (59392), (disk) 0xe800 (59392)
sha1:b71a7ef22a36dbe27e3830888dafc3b2a7d5da0d
Shell information: UPX 0.89.6-1.02/1.05-1.24
Hazard Level: High
Third, the virus behavior:
virus.win32.evilpanda.a.ex$:
1, after the virus is executed, copies itself to the system directory:
%systemroot%system32fuckjacks.exe
Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun Userinit "C:win2ksystem32svch0st.exe"
2. Add registry Startup items to ensure that they are loaded after the system reboot:
Key path: Hkey_current_usersoftwaremicrosoftwindowscurrentversionrun
Key Name: Fuckjacks
Key value: "C:windowssystem32fuckjacks.exe"
Key path: Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun
Key Name: Svohost
Key value: "C:windowssystem32fuckjacks.exe"
3, copy itself to all drive root directory, named Setup.exe, and generate a autorun.inf allows the user to open the disk to run the virus, and the two file properties are set to hidden, read-only, system. C:autorun.inf 1KB RHS
C:setup.exe 230KB RHS
4, close a large number of anti-virus software and security tools.
5, the connection *****.3322.org download a file, and according to the file record address, download a DDoS program, download successful implementation of the program.
6, refresh bbs.qq.com, a link to a QQ show.
7, looping through the disk directory, infected files, the key system files skipped, do not infect Windows Media Player, MSN, IE and other programs.
flooder.win32.floodbots.a.ex$:
1, after the virus is executed, copies itself to the system directory:
%systemroot%svch0st. Exe
%systemroot%system32svch0st.exe
2. After the virus is downloaded and run, add the registry startup item to ensure that it is loaded after the system reboot:
Key path: Hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun
Key Name: Userinit
Key value: "C:windowssystem32svch0st.exe"
3. Try closing the window
Qqkav
Qqav
Skynet Firewall process
VirusScan
NET Dart Antivirus
Poison PA
Rising
Jiangmin
Huangshan IE
Super Bunny
Master of Optimization
Mumak Star
Trojan Sweeper
Wooden Horse Scavenger
QQ Virus Registry Editor
System Configuration Utility
Kaspersky Anti-virus
Symantec AntiVirus
Duba
Windows Task Manager
Esteem Procs
Green Eagle PC
Password anti-theft
Phage
Trojan Helper Finder
System Safety Monitor
Wrapped Gift Killer
Winsock Expert
Game Trojan Detection Master
Little Shen Q Theft killer
PJF (USTC)
IceSword
4. Try to close the process
Mcshield.exe
VsTskMgr.exe
NaPrdMgr.exe
UpdaterUI.exe
TBMon.exe
Scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
Kvxp.kxp
Kvmonxp.kxp
Kvcenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
Trojdie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe
Delete the following startup items
Softwaremicrosoftwindowscurrentversionrunravtask
Softwaremicrosoftwindowscurrentversionrunkvmonxp
Softwaremicrosoftwindowscurrentversionrunkav
SOFTWAREMicrosoftWindowsCurrentVersionRunKAVPersonal50
Softwaremicrosoftwindowscurrentversionrunmcafeeupdaterui
Softwaremicrosoftwindowscurrentversionrunnetwork Associates Error Reporting
Servicesoftwaremicrosoftwindowscurrentversionrunshstatexe
SOFTWAREMicrosoftWindowsCurrentVersionRunYLive.exe
Softwaremicrosoftwindowscurrentversionrunyassistse
Disable the following services
Kavsvc
Avp
Avpkavsvc
Mcafeeframework
McShield
Mctaskmanager
Mcafeeframework McShield
Mctaskmanager
Navapsvc
Kvwsc
Kvsrvxp
Kvwsc
Kvsrvxp
Schedule
SharedAccess
Rsccenter
Rsravmon
Rsccenter
Rsravmon
Wscsvc
Kpfwsvc
Sndsrvc
Ccproxy
Ccevtmgr
Ccsetmgr
Spbbcsvc
Symantec
Core LC
Npfmntor
Mskservice
Firesvc
Search for all infections except the following directory. exe/. scr/. pif/. COM file and remember to mark
Windows
Winnt
System Volume Information
Recycled
Windows NT
Windows Update
Windows Media Player
Outlook Express
Internet Explorer
NetMeeting
Common Files
ComPlus
Applications
Messenger
InstallShield Installation Information
Msn
Microsoft Frontpage
Movie Maker
MSN gamin Zone
Delete. Gho file
Add the following startup location
Documents and Settingsall Usersstart Menuprogramsstartup
Documents and Settingsall users"Start menu program start
Windowsstart Menuprogramsstartup
Winntprofilesall Usersstart Menuprogramsstartup
Monitor records QQ and access LAN file records: C:test.txt, trying QQ message transmission
Attempted to access an infected LAN file (GameSetup.exe) with the following password
1234
Password
......
Admin
Root
All root and mobile storage generation
X:setup.exe
X:autorun.inf
[AutoRun]
Open=setup.exe
Shellexecute=setup.exe
Shellautocommand=setup.exe
Remove Hidden shares
CMD.EXE/C net share $/del/y
cmd.exe/c net share admin$/del/y
cmd.exe/c net share ipc$/del/y
To create a startup item:
Softwaremicrosoftwindowscurrentversionrun
Svcshare= Point to%system32%driversspoclsv.exe
Disable folder hiding options
softwaremicrosoftwindowscurrentversionexploreradvanced
Folderhiddenshowallcheckedvalue