The manual removal technique of Panda incense virus with special kill tool _ Virus killing

Where is a bear cat burning incense?????
Not a panda in incense, but all the EXE icon pocket into a burning 3 fragrant little panda, the icon is very cute
Pay in a manual way:
Panda Variety Spoclsv.exe Solution
Virus name: WORM.WIN32.DELF.BF (Kaspersky)
Virus alias: WORM.NIMAYA.D (Rising)
win32.trojan.qqrobber.nw.22835 (Poison PA)
Virus size: 22,886 bytes
Adding Shell way: upack
Sample md5:9749216a37d57cf4b2e528c027252062
Sample sha1:5d3222d8ab6fc11f899eff32c2c8d3cd50cbd755
Discovery Time: 2006.11
Update Time: 2006.11
Associated virus:
Transmission mode: Through malicious Web page transmission, other Trojan download, through the LAN, mobile storage equipment and other transmission


Technical analysis
==========

The "Panda incense" FuckJacks.exe variant, and the same as the previous variant of the use of white Panda incense icon, virus after running the copy itself to the system directory:
%system%\drivers\spoclsv.exe

To create a startup item:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Svcshare" = "%system%\drivers\spoclsv.exe"

Modify registry information to interfere with the "Show All Files and folders" setting:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
"CheckedValue" =dword:00000000

To generate replicas in the root directory of each partition:
X:\setup.exe
X:\autorun.inf

Autorun.inf content:

[Copy to Clipboard]
CODE:
[AutoRun]
Open=setup.exe
Shellexecute=setup.exe
Shell\auto\command=setup.exe

Try to close the following window:
Qqkav
Qqav
VirusScan
Symantec AntiVirus
Duba
Windows
Esteem Procs
System Safety Monitor
Wrapped Gift Killer
Winsock Expert
Msctls_statusbar32
PJF (USTC)
IceSword

To end some of the enemy's processes:
Mcshield.exe
VsTskMgr.exe
NaPrdMgr.exe
UpdaterUI.exe
TBMon.exe
Scan32.exe
Ravmond.exe
CCenter.exe
RavTask.exe
Rav.exe
Ravmon.exe
RavmonD.exe
RavStub.exe
Kvxp.kxp
Kvmonxp.kxp
Kvcenter.kxp
KVSrvXP.exe
KRegEx.exe
UIHost.exe
Trojdie.kxp
FrogAgent.exe
Logo1_.exe
Logo_1.exe
Rundl132.exe

To disable a range of services:
Schedule
SharedAccess
Rsccenter
Rsravmon
Rsccenter
Rsravmon
Kvwsc
Kvsrvxp
Kavsvc
Avp
Mcafeeframework
McShield
Mctaskmanager
Navapsvc
Wscsvc
Kpfwsvc
Sndsrvc
Ccproxy
Ccevtmgr
Ccsetmgr
Spbbcsvc
Symantec Core LC
Npfmntor
Mskservice
Firesvc

To delete several security software startup item information:
Ravtask
Kvmonxp
Kav
KAVPersonal50
Mcafeeupdaterui
Network Associates Error Reporting Service
Shstatexe
YLive.exe
Yassistse

To remove an administrative share using the net SHARE command:

NET share x$/del/y
NET share admin$/del/y
NET share ipc$/del/y

Traverse directory to infect exe, COM, SCR, PIF files in other directories other than the following system directory:
X:\WINDOWS
X:\Winnt
X:\System Volume Information
X:\Recycled
%ProgramFiles%\Windows NT
%programfiles%\windowsupdate
%ProgramFiles%\Windows Media Player
%programfiles%\outlook Express
%ProgramFiles%\Internet Explorer
%programfiles%\netmeeting
%ProgramFiles%\Common Files
%programfiles%\complus applications
%programfiles%\messenger
%programfiles%\installshield Installation Information
%programfiles%\msn
%ProgramFiles%\Microsoft Frontpage
%programfiles%\movie Maker
%programfiles%\msn gamin Zone

Bind itself to the front end of the infected file and add tag information at the tail:

QUOTE:
. whboy{the original filename}.exe. {Original file size}.

Unlike previous variants, this virus is 22886 bytes, but bundled in the file in front of only 22838 bytes, the infected file will run error, and will not like the previous variant to release {original filename}.exe original normal file.

Also found that the virus will overwrite a small number of EXE, delete. gho files.

The virus also attempts to access other computers in the local area network using a weak password:
Password
Harley
Golf
Pussy
Mustang
Shadow
Fish
Qwerty
Baseball
Letmein
Ccc
Admin
Abc
Pass
passwd
Database
Abcd
abc123
Sybase
123qwe
Server
Computer
Super
123asd
Ihavenopass
Godblessyou
Enable
Alpha
1234qwer
123abc
Aaa
Patrick
Pat
Administrator
Root
Sex
God
Foobar
Secret
Test
Test123
Temp
Temp123
Win
Asdf
Pwd
Qwer
Yxcv
Zxcv
Home
Xxx
Owner
Login
Login
Love
MyPC
Mypc123
Admin123
Mypass
Mypass123
Administrator
Guest
Admin
Root


Cleanup steps
==========

Copy Code code as follows:

1. Disconnect the network

2. End the virus process
%system%\drivers\spoclsv.exe

3. Delete virus files:
%system%\drivers\spoclsv.exe

4. Right click on the partition letter, click on the right menu "open" into the partition root directory, delete the root directory files:
X:\setup.exe
X:\autorun.inf

5. Remove the startup entry created by the virus:

[Copy to Clipboard]
CODE:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Svcshare" = "%system%\drivers\spoclsv.exe"

6. Modify registry settings and restore the "Show All Files and folders" option:

[Copy to Clipboard]
CODE:
[Hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall]
"CheckedValue" =dword:00000001

7. Repair or reinstall anti-virus software

8. Use anti-virus software or kill tool to conduct a comprehensive scan, to remove the recovery of infected EXE files

Pay a panda to burn incense icon, I sent this is the QQ expression inside, poisoned icon and this basic same, is the panda body has no words: 179ab:: 179ab:: 24ab:

This virus will kill antivirus software, so provide this I tested can kill, occasionally will be killed under the phenomenon of the latest
Poison killer download
  Telecom users download
  netcom users download
  Thunder Download private address