This is the latest variant of the Niu.exe virus, and recently the spread of new variants of the virus has been raised, I hope that attention.
Quote:
File:Discovery.exe
size:74240 bytes
Modified:2008 year February 2, 0:03:34
md5:2da55f2a36e852ee6fc96d34dd520979
Sha1:44ce8f1c1a02591a88867f421c0c658b200d94c1
crc32:e20e292d
1. After the virus runs, the following copies and documents are derived:
Quote:
%systemroot%\system32\discovery.exe
The root directory of each partition to generate Autorun.inf,discovery.exe to achieve the purpose of transmission through U disk.
And check that they exist every once in a while, and write back immediately if they do not exist
2. Start the hidden process Svchost.exe two empty shells, write the virus code to Svchost.exe memory, and two processes monitor each other, then Discovery.exe exit
3. Create a registry entry
Quote:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\discoverr point to%systemroot%\system32\ Discovery.exe
8. Find the following window and simulate the button to deal with Kaspersky Antivirus software
Quote:
Active Defense Alert
Active Defense Warning
Active Defense Information
It then looks for "allow" to apply to all "skipped" windows and then sends Wm_lbuttondown,wm_lbuttonup messages
9. Start a iexplore.exe download other trojans and viruses
Read the Http://xxx.*.com/txt071219/208.txt download list before downloading the virus according to the file list
10. Also has the infection htm,html,asp,aspx,php,jsp and so on the webpage file function and the lock IE homepage function, but did not discover in the test
Workaround:
1. Decompression IceSword Compression Pack Icesword.exe renamed to 1.com operation
Click on the file in the menu bar-set the check to prevent the hook from being created by the thread and then determine
Switch to the Process column find the red Svchost.exe and end the two processes in turn
Click the file button in the lower left corner
Go to File list
Delete the following file%systemroot%\system32\discovery.exe
And the Discovery.exe and Autorun.inf under each partition (be sure)
2. Decompression Sreng Srengps.exe renamed to 2.com operation
Start the Project registry delete the following items
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\discoverr]
<%systemroot%\system32\Discovery.exe> []
and delete all the red Ifeo items
System repair-windows shell/ie Full Select Click Repair button
Advanced Repair-Fix security mode
3. Use anti-virus software or manual method to kill other downloaded virus or Trojan
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.