Virus name: Trojan. Delf. rsd
MD5 216a00003443fc9c46fe4d32aa13c390f
After running, the virus sample is automatically copied to the % SYSTEMroot % directory:
% SYSTEMroot % flashplay. dll %Systemroot=ge_1237.exe X: flashplay. dll X: readme.txt.exe X: autorun. inf X indicates a non-system drive letter. % Systemroot % is an environment variable, Content in autorun. inf: [Autorun] Open).readme.txt.exe Shell = Open Shellcommand).readme.txt.exe Shell = Browser Shellcommand).readme.txt.exe Shellexecuteapps.readme.txt.exe [Autorun] Open).readme.txt.exe Shell = Open Shellcommand).readme.txt.exe Shell = Browser Shellcommand).readme.txt.exe Shellexecuteapps.readme.txt.exe |
Run ie,%systemroot=ge_1237.exe to connect to the network:
IP Address: Port 125.91.104.177: 80
IP Address: Port 59.45.180.5: 37
IP Address: Port 221.238.249.18: 80
About the pop-up free song, pointing to the URL: http://img2.uiuni.com/ivr/all/index.html? Uid = 1, 2722
Solution:
1. Run icesword---set---prohibited thread creation ---force uninstall plug-in to the assumer.exeentry and iyune.exe Process C: WINDOWSsystem32flashplay. dll
With the sreng log:
Code: [PID: 4916][C:WINDOWSexplorer.exe] [C:WINDOWSsystem32flashplay.dll] [PID: 1508][C:Program FilesInternet Exploreriexplore.exe] [C:WINDOWSsystem32flashplay.dll]
|
2. Use ICESWORD --- file --- delete:
%SYSTEMroot%flashplay.dll %SYSTEMroot%ge_1237.exe |
Delete non-system drive letters
X:flashplay.dll X:readme.txt.exe X:autorun.inf
|
Note:
When you use ICESWORD to delete X: readme.txt.exe from a non-system drive, the desktop process is automatically aborted. After the deletion is complete, the process is canceled and cannot be created in the thread. Use: ctrl + ait + del call up the task manager, select file -- Create task -- call up the desktop process: assumer.exe