This virus is the latest variant of the previous dream Lover (password) virus
1. After the virus runs, release the following file or copy
%systemroot%\system32\config\systemprofile\vista.exe
%systemroot%\system32\a.jpg
%systemroot%\system32\flower.dll
%systemroot%\system32\vista.exe
Release Test.exe and Autorun.inf under each partition
2. By looking for Software\microsoft\windows\currentversion\app Paths\IEXPLORE. EXE to get the IEXPLORE.EXE path, then call IE connection http://www.3940*.cn/tj.asp for infection statistics
3. Promote their own rights, close the following process
360tray.exe
360safe.exe
Close the handle of the following process
Avp.exe
4. Start a spoolsv.exe process, inject Flower.dll into, and invoke Urlmon.dll for download operation
Download Http://www.*/muma935474/q.exe
Http://www.*/muma935474/w.exe
Http://www.*/muma935474/e.exe
Http://www.*/muma935474/r.exe
Http://www.*/muma935474/t.exe
Http://www.*/muma935474/y.exe
Http://www.*/muma935474/u.exe
Http://www.*/muma935474/i.exe
Http://www.*/muma935474/o.exe
Http://www.*/muma935474/10.exe~http://www.*/muma935474/36.exe
Http://www.*/muma.exe
Http://www.*/muma1.exe
Http://www.*/muma2.exe
Http://www.*/muma3.exe
Under C:\Documents and Settings\, respectively, named Taga.exe~tagg.exe Tagaa.exe~taggg.exe tagaaa.exe~tagggg.exe tagaaaa.exe~ Tagcccc.exe Md5a.exe~md5g.exe Md5aa.exe~md5gg.exe Md5aaa.exe~md5bbb.exe
Download Interval 2000ms
But the download links are almost useless, and a few downloaded viruses are pigeons.
5. Close a window with the following words
Firewall
Antivirus
Jiangmin
Jinshan
Trojan
Super Patrol
NOD32
Safety
Main thread
Micro Point
7. Destroy Display hidden files
The value of Hku\software\microsoft\windows\currentversion\explorer\advanced\hidden is modified to 0x00000002
Trojan virus implanted after the Sreng log is as follows:
Start Project
Registration Form
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]
<IFEO[360rpt.exe]><C:\WINDOWS\system32\vista.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.exe]
<IFEO[360Safe.exe]><C:\WINDOWS\system32\vista.exe> [Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe]
<IFEO[360tray.exe]><C:\WINDOWS\system32\vista.exe> [Microsoft Corporation] ...
==================================
Service
[Windows/windows] [Running/disabled]
<C:\WINDOWS\windows.exe><N/A>
Workaround:
Download Srengicesword: Can download to down.45it.com
1. Decompression IceSword, IceSword renamed 1.com operation
Click on the lower left corner file button
Delete the following file%systemroot%\system32\config\systemprofile\vista.exe
%systemroot%\system32\a.jpg
%systemroot%\system32\flower.dll
%systemroot%\system32\vista.exe
%systemroot%\windows.exe
and Test.exe and Autorun.inf under each partition.
2. Open Sreng
Start the project registration form
Delete all red Ifeo items
System Repair-Windows shell/ie full-selection repair
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.