1. Virus description:
After a file containing a virus is run, the virus copies itself to the system directory, modifies the registry, sets itself as the boot entry, traverses each drive, and writes itself to the root directory of the disk, add an Autorun. inf file that enables the user to activate the virus body when opening the disk. Then, the virus opened a thread to infect local files, and opened another thread to connect to a website to download ddos programs for malicious attacks.
Ii. Basic information about viruses:
[File Information]
Virus name: Virus. Win32.EvilPanda. a. ex $
Size: 0xDA00 (55808), (disk) 0xDA00 (55808)
SHA1: F0C3DA82E1620701AD2F0C8B531EEBEA0E8AF69D
Shell information: Unknown
Hazard level: high
Virus name: Flooder. Win32.FloodBots. a. ex $
Size: 0xE800 (59392), (disk) 0xE800 (59392)
SHA1: B71A7EF22A36DBE27E3830888DAFC3B2A7D5DA0D
Shell information: UPX 0.89.6-1.02/1.05-1.24
Hazard level: high
Iii. Virus behavior:
Virus. Win32.EvilPanda. a. ex $:
1. After the virus is executed, copy itself to the system directory:
% SystemRoot % \ system32 \ FuckJacks.exe
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run Userinit "C: \ WIN2K \ system32 \ SVCH0ST.exe"
2. Add a Registry Startup project to ensure that the project is loaded after the system is restarted:
Key Path: HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Key: FuckJacks
Key Value: "C: \ WINDOWS \ system32 \ FuckJacks.exe"
Key Path: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Key: svohost
Key Value: "C: \ WINDOWS \ system32 \ FuckJacks.exe"
3366beibeibei.aliyun.com is embedded in the root directory of all drivers. It is named setup.exe, and an autorun. inf is generated to enable the user to run the virus on the disk and set the attributes of these two files to hidden, read-only, and system.
C: \ autorun. inf 1KB RHS
C: \ setup.exe 230KB RHS
4. Disable multiple anti-virus software and security tools.
5. Connect ***** .3322.org to download an object and go to www. ****. com.
6. Refresh bbs.qq.com, a QQ Show Link.
7. traverse the disk directory cyclically, infect files, skip key system files, and do not infect Windows Media players, MSN, IE, and other programs.
Flooder. Win32.FloodBots. a. ex $:
1. After the virus is executed, copy itself to the system directory:
% SystemRoot % \ SVCH0ST. EXE
% SystemRoot % \ system32 \ SVCH0ST. EXE
2. After the virus is downloaded and run, add the Registry Startup project to ensure that it is loaded after the system restarts:
Key Path: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
Key: Userinit
Key Value: "C: \ WINDOWS \ system32 \ SVCH0ST.exe"
3. Connect ddos2. *****. com to obtain the list of attack addresses and attack configurations, and conduct corresponding attacks according to the configuration file.
The configuration file is as follows:
Www.victim.net: 3389
Www.victim.net: 80
Www.victim.com: 80
Www.victim.net: 80
1
1
120
50000
The fuckjacks.exe variant, similar to the previous variant, uses the white-bottom pandatv incense icon. After the virus runs, copy it to the system directory:
% System % \ drivers \ spoclsv.exe
Create a startup Item:
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"Svcshare" = "% System % \ drivers \ spoclsv.exe"
Modify registry information to interfere with the "show all files and folders" setting:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL]
"CheckedValue" = dword: 00000000
Generate copies in the root directory of each partition:
X: \ setup.exe
X: \ autorun. inf
Autorun. inf content:
[AutoRun]
Open‑setup.exe
Shellexecuteappssetup.exe
Shell \ Auto \ command=setup.exe
Close the following window:
QQKav
QQAV
VirusScan
Symantec AntiVirus
Duba
Windows
Esteem procs
System Safety Monitor
Wrapped gift Killer
Winsock Expert
Msctls_statusbar32
Pjf (ustc)
IceSword
End some processes:
Mcshield.exe
VsTskMgr.exe
NaPrdMgr.exe
UpdaterUI.exe
TBMon.exe
Scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
KVXP. kxp
KvMonXP. kxp
KVCenter. kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
TrojDie. kxp
FrogAgent.exe
Logocmd.exe
Logo_1.exe
Rundl132.exe
Disable a series of services:
Schedule
Sharedaccess
RsCCenter
RsRavMon
RsCCenter
RsRavMon
KVWSC
KVSrvXP
Kavsvc
AVP
McAfeeFramework
McShield
McTaskManager
Navapsvc
Wscsvc
KPfwSvc
SNDSrvc
CcProxy
CcEvtMgr
CcSetMgr
SPBBCSvc
Symantec Core LC
NPFMntor
MskService
FireSvc
Delete several security software startup items:
RavTask
KvMonXP
Kav
KAVPersonal50
McAfeeUpdaterUI
Network Associates Error Reporting Service
ShStatEXE
YLive.exe
Yuncse
Use the net share command to delete management shares:
Net share X $/del/y
Net share admin $/del/y
Net share IPC $/del/y
Attackers can traverse directories to infect exe, com, scr, and pif files in other directories except the following:
X: \ WINDOWS
X: \ Winnt
X: \ System Volume Information
X: \ Recycled
% ProgramFiles % \ Windows NT
% ProgramFiles % \ WindowsUpdate
% ProgramFiles % \ Windows Media Player
% ProgramFiles % \ Outlook Express
% ProgramFiles % \ Internet Explorer
% ProgramFiles % \ NetMeeting
% ProgramFiles % \ Common Files
% ProgramFiles % \ ComPlus Applications
% ProgramFiles % \ Messenger
% ProgramFiles % \ InstallShield Installation Information
% ProgramFiles % \ MSN
% ProgramFiles % \ Microsoft Frontpage
% ProgramFiles % \ Movie Maker
% ProgramFiles % \ MSN Gamin Zone
Bind yourself to the front end of the infected file and add the tag information at the end:
.Whboy.pdf original file name: .exe. {Original file size }.
The original normal file.
In addition, the virus will overwrite a small number of exe files and delete the. gho file.
The virus also tries to use a weak password to access other computers in the LAN:
Password
Harley
Golf
Pussy
Mustang
Shadow
Fish
Qwerty
Baseball
Letmein
Ccc
Admin
Abc
Pass
Passwd
Database
Abcd
Abc123
Sybase
123qwe
Server
Computer
Super
123asd
Ihavenopass
Godblessyou
Enable
Alpha
1234 qwer
123abc
Aaa
Patrick
Pat
Administrator
Root
Sex
God
Foobar
Secret
Test
Test123
Temp
Temp123
Win
Asdf
Pwd
Qwer
Yxcv
Zxcv
Home
Xxx
Owner
Login
Login
Love
Mypc
Mypc123
Admin123
Mypass
Mypass123
Administrator
Guest
Admin
Root
Clear steps
============
1. Disconnect the network
2. Stop the virus Process
% System % \ drivers \ spoclsv.exe
3. delete a virus file:
% System % \ drivers \ spoclsv.exe
4. Right-click the partition drive letter and right-click "open" in the menu to go to the partition root directory and delete the files under the root directory:
X: \ setup.exe
X: \ autorun. inf
5. Delete the startup Item created by the virus:
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"Svcshare" = "% System % \ drivers \ spoclsv.exe"
6. modify registry settings and restore the "show all files and folders" option:
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL]
"CheckedValue" = dword: 00000001
7. Repair or reinstall anti-virus software
8. Use anti-virus software or exclusive tools for full scanning to clear and restore infected exe files
Iv. solution:
1. Super patrol officers can completely clear the virus and restore infected files.
2. We recommend that you use the super patrol process management tool to end virus programs when clearing them. Otherwise, the system will respond slowly.
3. stop the virus process and delete the startup project. For more information, see the forum.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
