UbuntuLinux: Kill driver killer and robot dog Trojan

A few days ago, I accidentally entered a poor webpage. When I opened the webpage, it was very slow. I didn't pay attention to shutdown at the time. The next day I started the webpage, I had to display the prompt shown in (1. In addition, the computer cannot be fully started, and the slow speed is incredible. The web page cannot be opened, or it takes half an hour to open a Web page. Also, multiple viruses are automatically downloaded. The IP addresses automatically connected each time are 121.10.107.65 and 121.10.107.64 in Zhanjiang, Guangdong. Anti-virus software cannot be started at all. What should I do? access the UbuntuLinux8.04 system immediately.

A few days ago, I accidentally entered a poor webpage. When I opened the webpage, it was very slow. I didn't pay attention to shutdown at the time. The next day I started the webpage, I had to display the prompt shown in (1. In addition, the computer cannot be fully started, and the slow speed is incredible. The web page cannot be opened, or it takes half an hour to open a Web page. Also, multiple viruses are automatically downloaded. The IP addresses automatically connected each time are 121.10.107.65 and 121.10.107.64 in Zhanjiang, Guangdong. Anti-virus software cannot be started at all. What should I do? Access Ubuntu Linux 8.04 immediately.

Figure (1)

Find the knowledge about this:

The "Driver killer" Variant a (TrojanDropper. Driver. a), also known as "Killer Xiaojie", is one of the newest members of the Trojan family. It is written in VC ++ 6.0 and shelled. After "Driver killer" variant a runs, the driver file "beep" in the "% SystemRoot % \ system32 \ drivers \ directory" will be replaced in the background of the infected computer. sys (the size of the replaced malicious driver file is 2,560 bytes), and then the malicious driver is registered as a system service to restore the system "ssdt hook ", in this way, the protection function of some security software becomes invalid, so as to avoid the defense and detection of security software. Finally, delete the malicious driver file and copy a normal original system driver file "beep" in the % SystemRoot % \ system32 \ dllcache \ directory of the infected computer system. to restore the system driver file replaced by the virus.

The virus will release the "tmp1.tmp" file of the malicious DLL component in the temporary folder of the infected computer system (the file size is 13,873 bytes, and the file attributes are system, hidden, and archived ), the malicious DLL component File "msosdohs00.dll" will be released in the % SystemRoot % \ system32 \ directory of the infected computer system (the file size is 13,873 bytes, and the file attribute is: system, hide, and archive), the malicious drive file "msosmsfpfis64.sys" will be released in the % SystemRoot % \ system32 \ drivers \ directory of the infected computer system (the file size is 2,560 bytes, file attributes are: system, hidden, archived), and a configuration file "msosdohs" will be created in the % SystemRoot % \ system32 \ directory of the infected computer system. dat ".

When the "Driver killer" variant a is running, it registers the malicious driver "msosmsfpfis64.sys" as a system service to restore the system "ssdt hook", thus disabling the protection function of some security software, to avoid defense and detection of security software. The malicious DLL component program "msosdohs00.dll" is inserted to all user-level permissions for loading and running to prevent being detected by users. Attackers will use HOOK and memory Intercept Techniques in the background of the infected computer system to steal login accounts, login passwords, warehouse passwords, role levels, and amount of money for the user's online game "westward journey II "., Region server, computer name, and other information. The stolen information will be sent to the remote server site specified by the hacker in the background of the infected computer. Because the root directory of the server whose virus sends the password is named "xiaojie" (xiaojie), the virus is suspected to be written by a hacker named "xiaojie, therefore, the virus is also called "Killer Xiaojie ".

Jiang Min's anti-virus experts reminded users that all the above viruses have the function of disabling anti-virus software, so computer users must choose to install a self-protected anti-virus software to protect computer data security. Therefore, they must update the anti-virus software virus database in time, enable "active defense" and "Real-time Monitoring" to defend against viruses outside the system.