Reading disk virus in previous life

The occurrence of the virus outbreak of the disk drive

Disk drive virus first appeared last February, Jinshan poison bully anti-virus expert Li Tiejun said, At that time, the virus is only in the Windows directory to generate Lsass.exe and Smss.exe files, and modify the system time for 1980, when the virus is not the purpose of the download, there are more bugs themselves, after the invasion, easy to cause the system blue screen panic. Later variants gradually absorb the features of AV Terminator and Robot dog, and the ability to fight security software is gradually enhanced.

Disk drive virus Analysis

The virus has hundreds of variants, according to the Global Anti-Virus monitoring center said that the virus infected with the system, will be like "ants move" like more Trojans downloaded to the local operation, to the theft of Trojans. At the same time, the disk drive virus will also download other Trojan downloads, such as AV Terminator, after the typical performance of the virus Trojan mixed infection, which the download of the ARP virus will have a serious impact on the LAN.

For ordinary computer users, after the virus invasion, in addition to security software is not available, the other functions of the system is basically normal. As a result, ordinary users have found that poisoning occurs after the theft of the event, the average user is not always concerned about the security software and system management tools are not able to run. And, in this case, the user is basically unable to use anti-virus software to complete the virus removal, and even want to reinstall another anti-virus software is not possible.

Performance of typical disk drive failure

1. Register the global Hook, scan the program window containing common Security software keywords, send a large number of messages, resulting in the crash of security software

2. Destroy folder Options, so that users can not view hidden files

3. Delete the values in the registry about safe mode to prevent booting to safe mode

4. Create a drive to protect itself. The driver can realize the power-on delete itself, shutdown to create a delay to restart the project implementation of automatic loading

5. Modify the registry to make the software restriction policy in Group Policy unavailable

6. Scan and delete the security software registration key value, prevent the security software boot

7. Create Autorun.inf and PAGEFILE.PIF on each disk, automatically run feature propagation when you double-click a disk or insert a mobile device

8. Remove the entire RUN key and its subkeys from the registry, preventing the security software from loading automatically

9. Release multiple virus execution programs to accomplish more tasks

10. The virus is loaded by means of a restart rename, located under the registry Hkey_local_machine\system\controlset001\control\backuprestore\keysnottorestore pending Renameoperations string

11. Infection In addition to the System32 directory of other EXE files (virus infection behavior is evolving, from the infection of other partitions to the infected system partition), the most special is the virus will also unpack RAR files, infected with the EXE, and then packaged into a rar

12. Download a large number of Trojans to the local run, the user ultimately damaged the situation, determined by the behavior of these Trojans

The various versions of the drive are not the same, and the typical analysis should refer to the two examples of the drug-loving bully community:

Http://bbs.duba.net/thread-21894878-1-1.html

Http://bbs.duba.net/thread-21891665-1-1.html

Transmission path of virus in disk drive

1.U disk/Mobile hard disk/digital memory card transmission

2. The various Trojans download the transmission between each other

3. Download via malicious website

4. Transmission through infected documents

5. Through the intranet ARP attack spread

Disk Drive Solutions

The disk drive virus and AV Terminator, Robot dog performance is very similar, technically speaking the disk drive is more resistant to kill. From our understanding of the situation, a variety of anti-virus software can not intercept the latest variant of the disk drive, after poisoning, installation of anti-virus software failure is very high. As a result, the current scheme is to prioritize the use of disk drive killing tools. For the use, download and upgrade instructions for the Kill tool, please refer to: http://bbs.duba.net/thread-21892665-1-1.html