Recently a lot of people have this "beast" virus, the reason is called "beast" virus is because the virus is running, Folder Options hidden files in the text content has been modified to "animals have a bit of compassion, and I do not, so I am not an animal." ”
This virus is actually a variant of the original analysis of Niu.exe, but this variant has greatly increased the number of new "features", poisoned by animals and other Trojans in the "Help" system will be completely unprotected. The likelihood of a system being revived without any tools is almost 0.
Several major counts of this virus are as follows:
1. Disable security mode Disabling some of the system's self-protection features (Automatic Updates, firewalls, etc.)
2.IFEO image hijacking antivirus software and common security tools
3. Disable Task Manager
4. Modify the homepage
5. Close the window with the words "antivirus" and so on
6. Infected HTML and other Web files
7. Delete the Gho file so that the user cannot restore the system
8.U Disk Propagation
9. Crazy download a variety of Trojan and rogue software (up to 20 kinds of Trojans)
The following is a detailed analysis of the virus
1. Release the following documents:
%system32%\crsss.exe
Generate Autorun.inf and Niu.exe under each partition
2. Invoke Reg.exe to do the following:
Add Self Startup Project
ADD hklm\software\microsoft\windows\currentversion\run/v crsss/t reg_sz/d
Disable Windows Automatic Updates
Hkey_current_user\software\microsoft\windows\currentversion\policies\windowsupdate/v DisableWindowsUpdateAccess /T reg_dword/d 00000001/f
Disable Task Manager
Add hkey_current_user\software\microsoft\windows\currentversion\policies\system/v disabletaskmgr/t reg_dword/d 00000001/f
Destroys the display hidden file and changes the option name to "The Beast has a bit of compassion, and I have nothing,
So I'm not an animal.
Delete hklm\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall/f
Add hklm\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\nohidden/v text/t reg_sz/d The beast has the slightest compassion, and I have no, so I am not an animal. /F
Break Safe Mode
Delete hklm\system\controlset001\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}/F
Delete hklm\system\controlset001\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}/F
Delete hklm\system\currentcontrolset\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}/F
Delete hklm\system\currentcontrolset\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}/F
3. Add the following image hijacking project to the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution options\ to point to%system32%\ Crsss.exe (limited space, map only)
Current 1/2 page
12 Next read the full text
