Word Document killer Virus Technology Analysis report

Recently, Jiangmin Anti-Virus research center received from different areas of users reflect that their computer doc format Word files suddenly mysteriously missing, many of them are the accumulation of important information and manuscripts for many years, once lost, the loss will be very heavy. Curiously, the folder that holds the doc files still exists, and other types of document files such as spreadsheet xls, PowerPoint slides, and so on, are not abnormal.

After receiving the user's report, the Jiangmin anti-virus expert took the first time to extract the suspicious file sample and carried on the characteristic analysis, after the expert analysis confirmed that the user suffers the reason to infect one to "the Word Document Killer" (Trojan/deldoc) new virus, once the virus attacks, You can delete the Word documents for Office users one at a a while, and all Windows version users are not spared.

The virus is written in VB language, the virus principal file is C:\windows\doc.exe or C:\windows\doc1.exe, and the virus file can be modeled as a Word document icon: After the virus runs, it will generate virus files in the C-packing directory C:\ww.bat And C:\ww.txt, where the Ww.bat file contains a batch program that searches all Word documents on the hard drive:

dir c:\*.doc /a/b/s >>c:\ww.txt
dir d:\*.doc /a/b/s >>c:\ww.txt
dir e:\*.doc /a/b/s >>c:\ww.txt

In this way, the virus creates a list of all doc documents in the hard drive, prints it to the C:\ww.txt file, deletes the doc files one at a time, and copies the Word documents to the c:\windows\wj\ directory while deleting them, and changes the file name extension to. COM. The virus can also modify registry keys to achieve the purpose of hiding extensions.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"CheckedValue" = dword:00000001
"UncheckedValue" = dword:00000001

This allows the user to view the file name extension in any case cannot be displayed.

Jiangmin Anti-Virus expert pointed out that this virus can also be loaded into the U disk automatically run files, so that once the user will infect the virus USB disk access to the computer, Word document Killer virus will automatically run, causing all Word documents mysteriously missing.

However, anti-virus experts also point out that the Word document killer virus is more "benevolent" because it does not completely remove the doc file and manually restore the deleted Word document: Please modify the registry key value first:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"CheckedValue" = dword:00000001
"UncheckedValue" = dword:00000000

This allows you to display the file's extension and then go to c:\windows\wj\ to see if there are any. com files with the same name, and if so, simply change the extension to. doc to retrieve the missing word file. You can also go to the C:\WINDOWS\WJ folder at the command prompt and use the Ren *.com *.doc command to complete all the modification extension operations at once.

As shown in figure:

In this way, the Word file deleted by the virus is restored, and then upgrade the antivirus software, the overall anti-virus on it.

Jiangmin anti-Virus experts remind everyone: please do a good job of data backup, safekeeping. If you see an extension of. EXE's Word document please do not double-click directly to run, because it is likely to be a virus, in order to prevent the destruction of such viruses, jiangmin anti-virus experts recommend the majority of users install the latest anti-virus software, timely upgrade virus library, open real-time virus monitoring. Experts also recommend that users in the use of U disk, as far as possible do not turn on the automatic running function or directly double-click on the U disk, you can use the right mouse button to open the function. Jiangmin antivirus software KV2006 access to mobile storage devices to automatically check the virus function, can effectively eliminate such viruses from U disk intrusion computer.