"The Light bulb Man" "The Miracle Boy" (WIN32.WIZARDBOY.A) Virus Complete solution _ virus killing

"A few days ago, the computer panda incense, just the ' national treasure ' away from a few days, today on the Internet to download a gadget, the machine began to slow down, there are several program icon into ' handsome ' head, eyes more prominent like the appearance of the light bulb, estimated again in the virus, really depressed! The user, Mr. Chen reluctantly said.

Jinshan Poison Bully Anti-Virus expert Dai Guangjin pointed out that this is a "Magic Boy" (win32.wizardboy.a) infection virus, also some people called "light bulb male" or "male head". The virus infects executables with extensions of EXE and SCR and spreads over the local area network, which will also download other viruses from the web when available.

According to the experts of Jinshan poison PA, "light bulb male" and "Panda incense" from the virus behavior is very similar, although "light bulb man" has not yet a large-scale outbreak, but users still need to increase vigilance. The following is a detailed analysis of the virus by experts from poison tyrants, hoping to help the user.

Behavioral analysis of the "Magic Boy" (win32.wizardboy.a) virus

1, release the virus files to C:/Program Files/internet explorer/icwtutor.com, and release the virus DLL file to C:/Program files/internet explorer/plugins/ Nppd32.dat, if the infected file is included, the process of creating a normal file is created and run.

2, add the following registry key:

[Hklm/software/microsoft/windows/currentversion/run]

"Internet Explorer Server" = "C:/Program files/internet explorer/icwtutor.com"

3, start IE process, the virus file Nppd32.dat into IE process, from the following Web site read virus download address, download virus, the URL is encrypted.

Http://www.04080.com/vip/1.txt

After decrypting the virus address as follows, for a variety of network game Trojans:

Http://www.04080.com/vip/mhxy.exe

Http://www.04080.com/vip/gezi.exe

Http://www.04080.com/vip/huaxia.exe

Http://www.04080.com/vip/wlwz.exe

Http://www.04080.com/vip/mlbb.exe

Http://www.04080.com/vip/datang.exe

4, traverse the local disk, search all the. Exe,.scr as an extension of the file, and infection.

5, try to write//c$//autoexec.bat through the local area network spread itself. If the LAN is successfully infected by remote infection, the system will automatically run Autoexec.bat to start the virus after reboot.

6, the virus infection after the file into the following icon

　
　

Processing method:

1. Reboot the system, press F8, select Safe Mode with network connection

2. Into the installation directory of Jinshan Poison PA, direct execution Update.exe, the anti-virus software upgrade to the latest.

3. Comprehensive scan to repair infected execution files

4. Remove the registry startup entry added by virus hkey_local_machine/software/microsoft/windows/currentversion/run

Internet Explorer Server--->c:/program files/internet explorer/icwtutor.com

and file C:/Program files/internet explorer/icwtutor.com

Protection recommendations:

1. It is recommended to install system patches at least once a month through Windows Update or Kingsoft Poison Blaster's vulnerability repair tool;

2. To the system administrator account to set a sufficiently complex administrator password, the security password is a combination of letters, numbers, special characters, the number of digits not less than 7 digits.

How to modify: Right-click on My Computer, select Admin, browse to local Users and groups, locate the administrator user in the right space, right-click, and select Modify password.

3. Through the control Panel, keep Windows Firewall enabled, or make sure that Jinshan Dart is enabled, can effectively block the virus intrusion.

4. Close unnecessary shared files by right-clicking My computer, selecting manage, browsing to shared folders, and stopping unnecessary shared folders in the right pane.