Red alarm! Anti-Virus Software

Source: Internet
Author: User

Text/image: erratic

Recently, a virus named "avterminator" has been raging on the Internet. According to statistics, about 0.1 million of Chinese computer users have been attacked by the virus. "AV" in "avterminator" is the abbreviation of Antivirus, which means anti-virus software. Therefore, from the virus name, we can know that this is a virus for anti-virus software. Facts have proved that the vast majority of anti-virus software has lost its role in front of it. Either it cannot be started or the main program is damaged. Of course, the main purpose of the virus is not to kill antivirus software, but to target our game accounts, network service accounts, and some private information. In terms of hazard severity and difficulty, this is a virus that is no less harmful than pandatv. In this issue, let's get to know and clear this nasty "avterminator ".

Anti-Virus Software. You didn't discuss it.

In this competition, anti-virus software has once again become the soul of the virus. Let's take a look at how much damage "avterminator" can cause to the system. First of all, it is anti-virus software. Most anti-virus software and security tools will be killed without hesitation after the virus runs. It is impossible to run it again, the technology used by viruses is the "image hijacking" we once introduced ". In order to prevent users from entering the system security mode for antivirus purposes, viruses will also disrupt the security mode, and users will not be able to enter the security mode. After nearly all self-protection measures, the virus began to download a large number of game account theft Trojans and spyware from the Internet, stealing account information and user privacy. Recently, stocks and funds have been very popular, and many users are trading stocks and funds online. This is one of the goals of avterminator. Finally, the virus searches for Mobile storage devices in the system and copies itself to spread the data to other computers.

If the cainiao has "avterminator", the system brain can be declared dead. It is difficult to manually delete a virus. Next we will make a comprehensive analysis of "avterminator:

Copy the virus to the system folder

After the virus is running, a virus file is generated in the following locations. The virus name is composed of 8 random letters and numbers:

C: program filesCommon FilesMicrosoft SharedMSInfo virus name. dat
C: Program FilesCommon FilesMicrosoft SharedMSInfo virus name. dll
C: windows virus name. hlp
C: windowshelp virus name. chm

From virus replication to system directory, this is a very tricky virus. First, it does not copy the virus file to the favorite system32 directory of other viruses. Second, no virus file is an exe file, making it difficult for users to find the virus file. Once again, the virus name uses a random combination of 8 digits and letters. Even if the user finds the file suspicious, the file cannot be found on the search engine using the file name.

Insert normal system process

.
Virus processes are used to monitor antivirus software processes in the system. If any antivirus software process is found to exist, Immediately disable it. The virus process also monitors the system window title and IE browser. If the detected window contains the anti-virus software keywords listed in the blacklist, close the window immediately. The purpose of monitoring IE browser is to prevent users from clearing viruses through search engines. Once we enter keywords that are forbidden by viruses in search engines, the webpage will be immediately closed.

Anti-Virus Software weakness

Another "image hijacking "! This was mentioned in our analysis of the OSO virus, but avterminator is more harmful than anti-virus software and security tools disabled by the OSO virus. Let's briefly introduce the "image hijacking" technology.

"Image hijacking" is to create a subitem named after anti-virus software or security tools under "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options" in the registry. Then create a new key value in the created sub-item and associate the main program of the anti-virus software with the virus file. Therefore, when we run anti-virus software after poisoning, the virus is actually run again.

Figure 1. Virus image hijacking"

Modify registry to add a startup entry

To enable the virus to start with the system, "avterminator" modifies the registry and adds a key value at the following position in the registry:

Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID

Virus Propagation

Virus copies itself to each partition of the hard disk and removable storage devices to generate a virus file consisting of an autorun. inf file and 8-digit letters and numbers. The virus also modifies the NoDriveTypeAutoRun key value in the Registry to spread the virus with the Mobile storage device. Second, to prevent users from discovering and deleting virus files on mobile storage devices, the virus files are hidden and the Registry is set, invalidate "show all files and folders" and "Hide protected operating system files" in "Folder Options. In this way, it is difficult to delete virus files.

Manual virus removal

To clear viruses that have been well performed by such protection measures, the most important thing is to find the entry point. Clearing the "avterminator" entry point is the process. The virus exclusive tool has been released, so here we will only briefly introduce the manual clearing method of "avterminator. We still use the "ice blade" software, of course, we need to change the name of the main program before running, because it is also one of the goals of image hijacking.

Step 1. After running "ice blade", switch to the "process" view function to find and end the injected virus process.

Step 2. Switch to the registry editing function in "ice blade", locate HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options, and delete the following sub-item about anti-virus software and security tools. The anti-virus software should be able to run now. If it cannot run, you can fix or reinstall the anti-virus software.

Step modify the Registry Startup key Location Based on the virus mentioned above to clear the virus key value.

Step 4. Fix "Folder Options". Refer to the OSO virus cleanup method to delete all virus files on the hard disk after the repair is completed.

Step 5. Repair the system's "safe mode", repair kits: pete.cn/cbi/safemode.rar "target =" _ blank "> http://pete.cn/cbi/safemode.rar

How to Prevent "avterminator"

"Avterminator" is spread through IE browser and mobile storage devices. Therefore, you only need to set these two levels to prevent infection with "avterminator ". The first thing we need to do is install a system-wide patch. We can use the system's "automatic update" or 360 security guard vulnerability repair function to recommend the latter, which is simple and practical. Next, upgrade the antivirus software virus database so that the antivirus software can detect "avterminator ". Finally, disable the system's "automatic playback" function:

Figure 2. System Vulnerability repair

Click Start> Run and enter gpedit. msc "runs" Group Policy ", expands" Computer Configuration ">" management template ">" system ", finds the" Disable automatic playback "project on the right side, and double-click to open the configuration interface, select "enabled" and click "OK" to save.

Figure 3. Disable the automatic playback function

In this way, the path through which the virus is transmitted through the mobile storage device is also cut off.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.