Use caution to prevent random trojans from generating virus files in the system

Recently, users need to pay attention to a random trojan that monitors Kaspersky. the random Trojan will generate a virus file in the system and create a registry service project. Automatic Updates and downloading of Trojans are prohibited ......

"Fantasy theft 15360" (Win32.Troj. MBER. a.15360) is a trojan program. After the virus runs, the virus file is automatically released and injected to the services.exeor assumer.exe system process to conceal itself, download the account theft program from the network, and complete the ONLINE account theft task of fantasy westward journey.

"Random Trojan 77856" (Win32.Troj. Unknown. B .77856) is a trojan program. The virus will generate a virus file in the two folders of the system and create a registry service item to enable the virus to start automatically. The virus disables automatic system updates by modifying the registry, and modifies the system time to monitor the window for killing soft "Kaspersky. The virus downloads a large number of trojans from the network and stores them on the customer's computer and runs them.

I. Threat Level: "Phantom theft 15360" (Win32.Troj. MBER. a.15360:★

1. The following virus files are generated after the virus runs.

% Windows % \ system32 \ LYLOADER. EXE

% Windows % \ system32 \ MSDEG32.DLL

% Windows % \ system32 \ LYMANGR. DLL

% Windows % \ system32 \ Verify.exe

2. After the virus runs successfully, the virus source file is automatically deleted.

3.when the services.exeor assumer.exe process is monitored, a remote thread is created (LYMANGR. DLL and MSDEG32.DLL are loaded ).

4. A startup Item is added to the virus (the startup Item refers to the program that runs as the system starts)

Startup Item Name: LYLoader.exe path: % windows % \ system32 \ LYLOADER. EXE

5. The virus also downloads the virus from the network based on the IP address.

6.msdeg32.dllfile is injected into the assumer.exeor services.exe process, and the process is searched to find whether there is a "Fantasy westward journey" process.

Attackers can steal verify.exe files.

7. The specific account information sent includes the following:

Account, password, zone name, cash count, deposit

8. The obtained fantasy westward journey account information will be sent to the following URL:

Http: // 5 ***** a.com/mh2007/post2007kj.asp

Http://www.r *** wd.com/cs03/post.asp

1 2 Next Page