Replace the Ctfmon.exe download Window.exe method _ virus killing
Source: Internet
Author: User
Virus Description:
This virus uses the method that replaces input method to enter a program to disguise oneself, thus can use the original Ctfmon start a project to start oneself, and carry on downloading Trojan horse and infect HTM file operation
File:window.exe
size:19380 bytes
Modified:2007 year October 19, 17:42:28
md5:bdaa1ab926518c7d3c05b730c8b5872c
sha1:bf4c82aa7f169ff37f436b78bbe9aa7fd652118a
crc32:bec77526
1. After the virus runs, the following files are generated:
%systemroot%\system32\ctfmon.exe.tmp
End Ctfmon.exe process, then start
%systemroot%\system32\ctfmon.exe.tmp
2. Modify the Registration Form
At HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
The following pendingfilerenameoperations add the key value so that after the reboot the Ctfmon.exe.tmp
Rename to Ctfmon.exe
3. Traverse the non-system partition below
php,jsp,asp,htm,html file, after which code is added
4. Through the netsh firewall add allowedprogram%systemroot%\system32\ctfmon.exe command
Add%systemroot%\system32\ctfmon.exe to the Allow list in the firewall
5. Try to connect other users ' computers in the local area network with the following password
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.