First, virus description:
Virus transmission through the U disk, run after copying itself to the system directory and release a gray pigeon Trojan. To enhance concealment, the generated virus files have a recycle Bin and an Ann
Two kinds of icons for loading programs.
Second, the basic situation of the virus:
Virus Name: TROJAN-DROPPER.WIN32.VB.RJ
Virus alias: None
Virus type: Virus
Hazard Level: 3
Infection platform: Windows
Virus size: 458,752 (bytes)
sha1:b86e419783b2d1ca9a5d4ea7de4711cf3da7a83b
Shell type: None
Development tools: Microsoft Visual Basic 5.0/6.0
Third, the virus behavior:
1. After the virus runs, the following files are generated:
%windir%\svchost.exe (458752 bytes, Recycle Bin icon)
%windir%\ravfree.exe (307640 bytes, installer icon, Gray Pigeon Trojan)
%ProgramFiles%\Common Files\Microsoft Shared\msinfo\servieces.exe (307640 bytes, installer diagram
Standard, Gray Pigeon Trojan)
%windir%\system32\_servieces.exe (307640 bytes, installer icon, Gray Pigeon Trojan)
2. Modify the registry to add a startup entry:
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key Name: Shell
Key value: Explorer.exe%windir%\svchost.exe
3. Add a service to the gray pigeon Trojan:
Service Name: System Starmize
Display Name: System starmize
Description: The system starts with the optimization of its own
Executable path:%ProgramFiles%\Common Files\Microsoft Shared\msinfo\servieces.exe
Startup type: Automatic
4, modify the system time. Modify the system time to 1980 years by executing the cmd.exe/c date 1980-01-01 command.
5, monitoring U disk and other mobile devices, copy itself to the U disk inside and named Recycle.exe, written to Autorun.inf, to achieve with U disk transmission purposes.
6, virus release of the Gray Pigeon Trojan will connect http://sx.yixiti.net.ru/i/i.txt download I.txt file, according to the content of I.txt file to connect hackers
and accept its control.
7, monitor their own files and startup items to prevent deletion.
Iv. Solutions:
1, delete the Startup items in the registry. Modify Registry Delete virus Startup entry, delete%windir%\svchost.exe in key value:
Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key Name: Shell
Key value: Explorer.exe%windir%\svchost.exe
2, restart the computer, into safe mode.
3, delete the virus file. Delete the following files:
%windir%\svchost.exe
%windir%\ravfree.exe
%ProgramFiles%\Common Files\Microsoft Shared\msinfo\servieces.exe
%windir%\system32\_servieces.exe
4, remove the virus added services. Open the Super Patrol and use the service Management feature to remove the service named system Starmize.
5. Revise the system time.
V. Recommendations for the prevention of this virus:
As the virus is transmitted through U disk, it is recommended to use the Super Patrol U disk immune to the U disk, and the abolition of the automatic operation of the system function. In
Insert a U disk into the computer to the U disk for antivirus, and then use.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.