Revealing the ecological chain of AV Terminator virus

Forum on the "AV Terminator" virus consultation, still continue to grow, originally I thought this virus, the user will soon find the anti-virus software work abnormal, and then will find a way to deal with the virus, the concealment of the virus will not be too strong. But this is not the case, most users of anti-virus software does not work properly does not feel abnormal. Because, at this time other functions of the system are basically unaffected, the virus will not affect system performance or affect network speed. So that the system has been poisoned can also apply for Remote Assistance to complete the manual antivirus operation.

I'm thinking about another question--"AV Terminator" virus, like "Panda incense," is the masterpiece of the Group of thieves??

First look at the "AV Terminator" virus program itself designed to spread the function-the program itself can only be transmitted through the U disk or mobile hard drive. How can a virus with such a simple way of transmission cause such a mass spread? This is clearly not possible by the natural derivation of the virus program alone. Well, the virus is most likely a result of human manipulation.

So the "AV Terminator" virus, the first is through what way to invade it? Is there more to hide behind this virus?

Before the AV terminator, there are two kinds of viruses worth our attention, one is "Risk.exploit.ani" virus, is the use of ANI loopholes widely hanging horse. Another category, is the use of ARP spoofing, hijacking the entire LAN session, the hijacked LAN computer users visit any site will be at the same time from the 16.us site (there are more download stations) Download Trojan Horse.

Compared with the panda burning incense virus case, "AV Terminator" performance more covert, the virus against anti-virus software is almost played a trick to the extreme. The entire "AV Terminator" virus spreads the chain more complex than pandas burn incense. "AV Terminator" virus already has the enterprise, the corporate operation characteristic. The AV terminator virus spread link consists of the following three phases.

Phase one: Spreading the AV terminator virus

The most rapid and effective means of communication is to attack the enterprise public service (usually IDC computer room hosted by the server), after the successful attack, directly on the server implanted Trojan, and then use ANI vulnerabilities quickly spread. Not only that, the attacker would also embed an ARP attack on the compromised server, successfully extending the results of the horse-hanging to the entire room. Similar techniques, you can hack into the intranet, the launch of ARP attacks, and quickly let the phenomenon of horse-hanging in the entire corporate network spread.

Another approach is more direct, the production of the Complete "AV Terminator" virus through the U disk, in Internet cafes and other public internet sites for human transmission. The method is very simple, to the target machine plug a U disk on it.

Phase II: "AV Terminator" virus active period

After the "AV Terminator" virus successfully invaded, it can almost hijack all kinds of anti-virus software, system configuration management software commonly used by Chinese users, and turn off Windows Firewall and Windows Automatic Update. To prevent users from cleaning up the virus in Safe mode, the virus simply modifies the system configuration and does not allow the system to boot into safe mode. The aim is clear--that is, to quickly deprive a poisoned system of its ability to take security precautions.

The third stage: Trojan Horse active period

After the previous phase of preparation, the "AV Terminator" successfully let the poisoned computer system completely lose the ability to safeguard. Then, the virus built in the function of the downloader, the number of 10 different features of the Trojan backdoor program through the "AV Terminator" virus downloaded to the computer has been poisoned, these Trojans will take away the Trojan horse control of anything interesting. The ultimate damage on a computer depends on the preferences of the Trojan controller.