Pandatv virus, pandatv virus exclusive, latest variant removal, recommended method

Source: Internet
Author: User
Tags microsoft frontpage

Recently, Jiangmin Technology issued an emergency VIRUS alert. A virus disguised as a "pandatv" pattern is committing a crime. Dozens of enterprises have suffered heavy losses on their local networks. When companies in different countries report to the anti-virus center of the People's Republic of China, their company is being attacked by unknown viruses, and All executable. EXE files in the computer have become a strange pattern, which is displayed as "pandatv incense"



The symptoms of poisoning are the blue screen of the system, frequent restart, damage to hard disk data, and so on. All the computers in the company's Lan are poisoned, and the company's business is almost paused. Similar virus outbreaks have also occurred in Guangdong, Shanghai, and other regions, and the Technical Service Department of Jiangmin's major accounts keeps ringing. There are indications that the "pandatv" virus may have a concentrated outbreak.






After the pandatv virus is used for exclusive killing, the system returns to normal.
According to analysis by Jiang Min's anti-virus engineer, the virus is a new variant of the "Weijin" worm virus. Since it was intercepted last year, it has infected more than 0.3 million computers, and almost every day there are new variants. The virus can be transmitted through the lan. If the virus is severe, it can cause LAN paralysis. It is worth noting that most of the users infected with the virus are small-sized enterprise users who do not have an online antivirus software installed.

Small Enterprise LAN becomes the hardest hit area

Ms. Gao, an enterprise in the Suzhou Economic Park, said that the company is a small and medium-sized metal product company. The company's network servers suddenly restarted frequently over the past two days. After inspection, the company found that, five unknown files appear in the computer, and All executable files are changed to a strange pandatv incense pattern. Due to server faults, the entire LAN is paralyzed. An engineering company in Beijing also experienced a similar phenomenon. What's worse, their company suffered a virus attack from the Finance Department. Eight computers in the Finance Department frequently experienced blue screens and crashes, the "pandatv incense" pattern also appeared in the computer, the company's external financial settlement completely paused, the general manager was so open.

According to data, there are more than 10 million small enterprises in China, and there are countless small SOHO family-style entrepreneurial companies that have been prevalent in recent years. Because these enterprises are in the early stages of their business, they often have no security defense in terms of network security, most enterprises install a single-host anti-virus software to prevent viruses. Because the single-host anti-virus software cannot uniformly defend against viruses such as Weijin transmitted over the LAN, the virus in the LAN is continuously killed, the virus is spreading back and forth between computers through the network. Many small enterprises even "have" more than one type of network virus in their local networks for a long time.

According to Jiang Min's anti-virus engineer, most enterprises receive help from companies that are unable to carry out their services normally due to virus infection. If the virus is less than an hour or two, the company cannot work normally for one or two days, the direct and indirect losses incurred far exceed the price for purchasing a set of online antivirus software.

Single-host edition and virus exclusive removal of LAN viruses

According to the survey, more than 70% of small and medium-sized enterprises are not willing to buy anti-virus software of the network version, but prefer single-host anti-virus software, and the price is undoubtedly the biggest obstacle to small enterprises to apply the network version. Due to its long-term application in the high-end enterprise market, online anti-virus software is a "luxury" product in the minds of ordinary users. It is calculated on the LAN of a small enterprise with 25 computers, the prices of mainstream online anti-virus software with the same configurations in China are between RMB 10000 and RMB 17000. In the face of high prices, the SOHO owners who want to start their own business and save money need a lot of determination to buy them! More small business owners are passively buying a single-host anti-virus software for emergency response when they are attacked by viruses.

Although Single-host antivirus software and even free exclusive killing tools can also kill viruses, these antivirus software and exclusive killing tools often fall apart from each other in the interconnected areas. Generally, the virus on this machine is killed, but it was infected with another machine, repeatedly making the network manager exhausted. If there are only a few computers, they may also use the network cable disconnection method to eliminate viruses one by one. If there are dozens or even hundreds of computers, it is undoubtedly a nightmare for network administrators.

According to Jiang Min's anti-virus experts, the stand-alone Edition does not have the features of the online antivirus software, such as unified anti-virus, unified monitoring, unified settings, unified upgrades, and remote control. Therefore, it has inherent defects in dealing with lan viruses, to deal with network viruses transmitted through the LAN, you can only use the online anti-virus software for unified detection and removal across the network.
Pandatv virus exclusive solution

Step 1 patch: Download Firefox. The new Firefox browser with Google's Internet access tool in February has integrated the pandatv patch. If you are a computer expert, you should know more about it, for IE7 vulnerabilities, the latest Firefox has fixed these patches. If this patch does not exist, the virus will be eliminated. After downloading the patch, install it and run it once. The virus patch is automatically installed. On the official website, click the "Download Now free" button on the right to download.
Step 2: Download the "pandatv virus killing tool.
Download the latest exclusive killing tool:
Rising's latest pandatv killing tool


Click to download

Jiangmin's latest pandatv exclusive Tool


Click to download

Kingsoft's latest pandatv killing tool


Click to download

The pandatv virus spread rapidly in November and has seen more than a dozen variants. It can be seen that the damage scope is wide!
After a file containing a virus is run, the virus copies itself to the system directory, modifies the registry, sets itself as the boot entry, traverses each drive, and writes itself to the root directory of the disk, add an Autorun. inf file that enables the user to activate the virus body when opening the disk. Then, the virus opened a thread to infect local files, and opened another thread to connect to a website to download ddos programs for malicious attacks.
This is currently the only tool that can detect and remove all pandatv virus variants. This tool can detect and clear files that are infected with the pandatv virus, detects and processes the unknown variant of pandatv and can process all the current Family and related variants of pandatv.
Killer (killeruid0.net)
Date: 2006-11-20

1. Virus description:

After a file containing a virus is run, the virus copies itself to the system directory, modifies the registry, sets itself as the boot entry, traverses each drive, and writes itself to the root directory of the disk, add an Autorun. inf file that enables the user to activate the virus body when opening the disk. Then, the virus opened a thread to infect local files, and opened another thread to connect to a website to download ddos programs for malicious attacks.

Ii. Basic information about viruses:

[File Information]

Virus name: Virus. Win32.EvilPanda. a. ex $
Size: 0xDA00 (55808), (disk) 0xDA00 (55808)
SHA1: F0C3DA82E1620701AD2F0C8B531EEBEA0E8AF69D
Shell information: Unknown
Hazard level: high

Virus name: Flooder. Win32.FloodBots. a. ex $
Size: 0xE800 (59392), (disk) 0xE800 (59392)
SHA1: B71A7EF22A36DBE27E3830888DAFC3B2A7D5DA0D
Shell information: UPX 0.89.6-1.02/1.05-1.24
Hazard level: high

Iii. Virus behavior:

Virus. Win32.EvilPanda. a. ex $:

1. After the virus is executed, copy itself to the system directory:

% SystemRoot % \ system32 \ FuckJacks.exe

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run Userinit "C: \ WIN2K \ system32 \ SVCH0ST.exe"
2. Add a Registry Startup project to ensure that the project is loaded after the system is restarted:

Key Path: HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Key: FuckJacks
Key Value: "C: \ WINDOWS \ system32 \ FuckJacks.exe"

Key Path: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Key: svohost
Key Value: "C: \ WINDOWS \ system32 \ FuckJacks.exe"

3366beibeibei.aliyun.com is embedded in the root directory of all drivers. It is named setup.exe, and an autorun. inf is generated to enable the user to run the virus on the disk and set the attributes of these two files to hidden, read-only, and system.

C: \ autorun. inf 1KB RHS
C: \ setup.exe 230KB RHS

4. Disable multiple anti-virus software and security tools.
5. Connect ***** .3322.org to download an object and go to www. ****. com.
6. Refresh bbs.qq.com, a QQ Show Link.
7. traverse the disk directory cyclically, infect files, skip key system files, and do not infect Windows Media players, MSN, IE, and other programs.

Flooder. Win32.FloodBots. a. ex $:

1. After the virus is executed, copy itself to the system directory:

% SystemRoot % \ SVCH0ST. EXE
% SystemRoot % \ system32 \ SVCH0ST. EXE

2. After the virus is downloaded and run, add the Registry Startup project to ensure that it is loaded after the system restarts:

Key Path: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Key: Userinit
Key Value: "C: \ WINDOWS \ system32 \ SVCH0ST.exe"

3. Connect ddos2. *****. com to obtain the list of attack addresses and attack configurations, and conduct corresponding attacks according to the configuration file.

The configuration file is as follows:
Www.victim.net: 3389
Www.victim.net: 80
Www.victim.com: 80
Www.victim.net: 80
1
1
120
50000
The fuckjacks.exe variant, similar to the previous variant, uses the white-bottom pandatv incense icon. After the virus runs, copy it to the system directory:
% System % \ drivers \ spoclsv.exe

Create a startup Item:
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"Svcshare" = "% System % \ drivers \ spoclsv.exe"

Modify registry information to interfere with the "show all files and folders" setting:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Explorer \ Advanced \ Folder \ Hidden \ SHOWALL]
"CheckedValue" = dword: 00000000

Generate copies in the root directory of each partition:
X: \ setup.exe
X: \ autorun. inf

Autorun. inf content:
[AutoRun]
Open‑setup.exe
Shellexecuteappssetup.exe
Shell \ Auto \ command=setup.exe

Close the following window:
QQKav
QQAV
VirusScan
Symantec AntiVirus
Duba
Windows
Esteem procs
System Safety Monitor
Wrapped gift Killer
Winsock Expert
Msctls_statusbar32
Pjf (ustc)
IceSword

End some processes:
Mcshield.exe
VsTskMgr.exe
NaPrdMgr.exe
UpdaterUI.exe
TBMon.exe
Scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP. kxp
KvMonXP. kxp
KVCenter. kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie. kxp
FrogAgent.exe
Logocmd.exe
Logo_1.exe
Rundl132.exe

Disable a series of services:
Schedule
Sharedaccess
RsCCenter
RsRavMon
RsCCenter
RsRavMon
KVWSC
KVSrvXP
Kavsvc
AVP
McAfeeFramework
McShield
McTaskManager
Navapsvc
Wscsvc
KPfwSvc
SNDSrvc
CcProxy
CcEvtMgr
CcSetMgr
SPBBCSvc
Symantec Core LC
NPFMntor
MskService
FireSvc

Delete several security software startup items:
RavTask
KvMonXP
Kav
KAVPersonal50
McAfeeUpdaterUI
Network Associates Error Reporting Service
ShStatEXE
YLive.exe
Yuncse

Use the net share command to delete management shares:
Net share X $/del/y
Net share admin $/del/y
Net share IPC $/del/y

Attackers can traverse directories to infect exe, com, scr, and pif files in other directories except the following:
X: \ WINDOWS
X: \ Winnt
X: \ System Volume Information
X: \ Recycled
% ProgramFiles % \ Windows NT
% ProgramFiles % \ WindowsUpdate
% ProgramFiles % \ Windows Media Player
% ProgramFiles % \ Outlook Express
% ProgramFiles % \ Internet Explorer
% ProgramFiles % \ NetMeeting
% ProgramFiles % \ Common Files
% ProgramFiles % \ ComPlus Applications
% ProgramFiles % \ Messenger
% ProgramFiles % \ InstallShield Installation Information
% ProgramFiles % \ MSN
% ProgramFiles % \ Microsoft Frontpage
% ProgramFiles % \ Movie Maker
% ProgramFiles % \ MSN Gamin Zone

Bind yourself to the front end of the infected file and add the tag information at the end:
.Whboy.pdf original file name: .exe. {Original file size }.

The original normal file.

In addition, the virus will overwrite a small number of exe files and delete the. gho file.

The virus also tries to use a weak password to access other computers in the LAN:
Password
Harley
Golf
Pussy
Mustang
Shadow
Fish
Qwerty
Baseball
Letmein
Ccc
Admin
Abc
Pass
Passwd
Database
Abcd
Abc123
Sybase
123qwe
Server
Computer
Super
123asd
Ihavenopass
Godblessyou
Enable
Alpha
1234 qwer
123abc
Aaa
Patrick
Pat
Administrator
Root
Sex
God
Foobar
Secret
Test
Test123
Temp
Temp123
Win
Asdf
Pwd
Qwer
Yxcv
Zxcv
Home
Xxx
Owner
Login
Login
Love
Mypc
Mypc123
Admin123
Mypass
Mypass123
Administrator
Guest
Admin
Root
Clear steps
============

1. Disconnect the network

2. Stop the virus Process
% System % \ drivers \ spoclsv.exe

3. delete a virus file:
% System % \ drivers \ spoclsv.exe

4. Right-click the partition drive letter and right-click "open" in the menu to go to the partition root directory and delete the files under the root directory:
X: \ setup.exe
X: \ autorun. inf

5. Delete the startup Item created by the virus:

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"Svcshare" = "% System % \ drivers \ spoclsv.exe"

6. modify registry settings and restore the "show all files and folders" option:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \
Advanced \ Folder \ Hidden \ SHOWALL]
"CheckedValue" = dword: 00000001
7. Repair or reinstall anti-virus software
8. Use anti-virus software or exclusive tools for full scanning to clear and restore infected exe files
Iv. solution:
1. Super patrol officers can completely clear the virus and restore infected files.
2. We recommend that you use the super patrol process management tool to end virus programs when clearing them. Otherwise, the system will respond slowly.
3. stop the virus process and delete the startup project

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.