AV Introduction: (from Baidu knowledge)
"Avterminator" is a series of viruses that attack anti-virus software, disrupt the system security mode, and implant Trojans. It refers to a group of viruses, Trojans, and worms with the following destructiveness. "Av" in the "avterminator" name is the abbreviation of "anti-virus. It can damage the normal monitoring and protection functions of a large number of anti-virus software and personal firewalls, leading to a decline in the security performance of users' computers and the vulnerability of viruses. At the same time, it downloads and runs other account theft viruses and malicious code.Program, Seriously threatening users' personal network assets. In addition, it will make the computer unable to enter safe mode and can be propagated through a removable disk. At present, the virus has produced multiple new variants, which may be widely transmitted on the Internet. One of the most vicious points in the "avterminator" design is that even a user reinstalls the operating system, the problem cannot be solved: After formatting the system disk, it is easy to be infected again. After formatting, double-click another drive letter to run the virus again. "Avterminator" will completely destroy the security defense system of users' computers, with almost zero security. It also automatically connects to a website and downloads hundreds of Trojan viruses and various Trojan horses, AD Trojans, and risky programs. When the user's computer has no resistance, users' online banking, online games, QQ account passwords, and confidential files are all in extreme danger.
Avterminator
Virus name: avterminator
Propagation Method: memory and Windows vulnerabilities
Destruction method: Process insertion
Virus File Name: Random 8 characters
Self-protection: Application kidnapping
Virus objective: to download a large number of trojans from the network
Hazard level:★★★★★
Recently, a destructive and powerful virus "avterminator" has appeared on the Internet. In less than a month, there have been hundreds of variants, affecting more than 10 million people, the virus is abnormal, and it is hard to know once infected.
"Avterminator" is a virus composed of 8 random digits and letters. It is a flash memory parasitic virus, which is implemented through storage media such as flash memory or injection into servers.
1. What is "avterminator"
After the "avterminator" virus is run, the following files are generated in the system: C: Program filescommon filesmicrosoft sharedmsinfo: the virus name is randomly generated. dat, C: Program filescommon filesmicrosoft sharedmsinfo randomly generates the virus name. DLL and C: names of viruses randomly generated by windows. CHM
The virus name of "avterminator" is a random combination of uppercase letters and numbers. Its length is 8 characters. It can be said that the probability of a virus of the same name is very low. Therefore, even if we know that this is a file generated by the virus, we should not expect to find a clear method of virus on the network through the virus name.
After the "avterminator" virus runs, it copies the virus file and anuorun in the local disk and Mobile Disk. INF file. When you double-click the drive letter, the virus is activated. Even if you reinstall the system, the virus cannot be completely understood. This is a popular method for spreading viruses. Many users also know how to delete anuorun generated by viruses. INF file, but when we enter "Folder Options" and want to hide the file, we can find that the file has been disabled by viruses.
Attacks against anti-virus software are a feature of "avterminator. The virus terminates most processes of antivirus software and security tools. The vast majority of anti-virus software and security tools in China are blacklisted. When the anti-virus software is temporarily ineffective, the virus will pursue the attack and use an image hijacking technology to completely break the anti-virus software into a dead cell.
Image hijacking creates an item named after antivirus software and security tool programs in the Registry's "hkey-local-machinesoftwaremicrosoftwindows ntcurrentversionimage file exeution options" location. After the build is complete, the virus will also create a debugger key in it with the key value "C: progra ~ 1common ~ 1 micros ~ 1msinfocc73b2. dat ". In this way, when we run the main program of anti-virus software on both servers, it is actually a virus program.
To avoid virus exposure in the worker task manager, the virus will inject the program into the system's resource manager cmd.exe. In this way, I will not be able to detect virus processes through the "Task Manager. The main function of a virus process is to monitor user operations in the system. For example, if you want to manually identify the virus and modify the registry, the virus will not change the registry after a period of time, making you more difficult. Another function is to monitor the IE window and immediately close the webpage when a user finds a virus data search.
In addition, the virus will damage the Windows Firewall and security mode, and block the user's path. The most important thing is that viruses will download a large number of Trojan horses from the network and steal the user's game account information, which is also the real purpose.