Virus name: Trojan. Delf. RSD <rising> <macloud. kaback not reported>
MD5 216a00003443fc9c46fe4d32aa13c390f
Virus sample after running, copy to % SystemRoot % directory automatically
% SystemRoot % \ flashplay. dll
% SystemRoot % \ ge_1237.exe
X: \ flashplay. dll
X: \ readme.txt.exe
X: \ autorun. inf
X indicates a non-system drive letter.
% SystemRoot % is an environment variable,
Content in autorun. inf:
[Autorun]
Open =. \ readme.txt.exe
Shell \ 1 = open
Shell \ 1 \ command =. \ readme.txt.exe
Shell \ 2 \ = Browser
Shell \ 2 \ command =. \ readme.txt.exe
ShellExecute =. \ readme.txt.exe
[Autorun]
Open =. \ readme.txt.exe
Shell \ 1 = open
Shell \ 1 \ command =. \ readme.txt.exe
Shell \ 2 \ = Browser
Shell \ 2 \ command =. \ readme.txt.exe
ShellExecute =. \ readme.txt.exe
Run IE, % SystemRoot % \ ge_1237.exe to connect to the network:
IP Address: Port 125.91.104.177: 80
IP Address: Port 59.45.180.5: 37
IP Address: Port 221.238.249.18: 80
About the pop-up free song, pointing to the URL: http://img2.uiuni.com/ivr/all/index.html? Uid = 1, 2722
Solution:
1. Run icesword---set---prohibited thread creation ---force uninstall plug-in to assumer.exeand c: \ windows \ system32 \ flashplay. dll of the imo-e.exe Process
With the Sreng log:
Code:
[Pid: 4916] [c: \ windows \ assumer.exe]
[C: \ windows \ system32 \ flashplay. dll]
[Pid: 1508] [c: \ Program Files \ Internet Explorer \ ipolice.exe]
[C: \ windows \ system32 \ flashplay. dll]
2. Use icesword --- file --- delete:
% SystemRoot % \ flashplay. dll
% SystemRoot % \ ge_1237.exe
Delete non-system drive letters
X: \ flashplay. dll
X: \ readme.txt.exe
X: \ autorun. inf
Note:
when you use icesword to delete X: \ readme.txt.exe from a non-system drive, the desktop process is automatically aborted. After the deletion is complete, the process is canceled and cannot be created in a thread. Use: CTRL + ait + DEL call up the task manager, select file -- Create task -- call up the desktop process: assumer.exe