Worm. win32.autorun. bqn virus Analysis Solution

1. Virus analysis:
Virus Tag:
Virus name: worm. win32.autorun. bqn
Virus Type: Worm
Hazard level: 2
Infected platform: Windows
Virus size: 21,504 (bytes)
Sha1: 01015b9f9231018a58a3ca1b5b6a27c269f807e6
Shelling type: pecompact v2.x-> bitsum Technologies
Development tools: Microsoft Visual Basic 5.0/6.0

Virus behavior:
1,ProgramRelease copies after running

% SystemRoot % \ expl0rer. exe
And

% SystemRoot % \ autorun. inf

Autorun. inf content:

Quote:
[Autorun]
Open = expl0rer. exe
Shell \ open = open (& O)
Shell \ open \ command = expl0rer. exe
Shell \ open \ default = 1
Shell \ lead E = Resource Manager (& X)
Shell \ cmde \ command = expl0rer. exe

Generate the corresponding directory name .exe Based on the folder name.
Then add the folder attribute as read-only, system, and hidden. The effect of not displaying hidden files is that all the real folders are lost.
The folder icon you see is a virus, because the virus icon is a folder.
Tamper with the Registry and do not show hidden files, system files, and extensions.

Major registry changes:

Value modified: 65

Quote:
New HKLM \ SOFTWARE \ Classes \ CHM. file \ shell \ open \ command \: "C: \ WINDOWS \ expl0rer. EXE % 1"
Old HKLM \ SOFTWARE \ Classes \ CHM. file \ shell \ open \ command \: "" C: \ WINDOWS \ hh.exe "% 1"

New HKLM \ SOFTWARE \ Classes \ directory \ shell \: "Open"
Old HKLM \ SOFTWARE \ Classes \ directory \ shell \: "NONE"

New HKLM \ SOFTWARE \ Classes \ drive \ shell \: "Open"
Old HKLM \ SOFTWARE \ Classes \ drive \ shell \: "NONE"

New HKLM \ SOFTWARE \ Classes \ regfile \ shell \ open \ command \: "C: \ WINDOWS \ expl0rer. EXE % 1"
Old HKLM \ SOFTWARE \ Classes \ regfile \ shell \ open \ command \: "regedit.exe" % 1 ""

New HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ nohidden \ checkedvalue: 0x00000003
Old HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ nohidden \ checkedvalue: 0x00000002

New HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall \ checkedvalue: 0x00000002
Old HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall \ checkedvalue: 0x00000001

Ii. Solutions

Download and use wsyscheck to open wsyscheck.exe, process management-end the virus process expl0rer. EXE and delete it.

1. Sreng file association system repair-File Association-select all-Automatic Repair

2. Fixed the disk opening mode and folder opening mode.

Quote:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ drive \ shell]
@ = "NONE"

[-HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ drive \ shell \ release E]

[-HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ drive \ shell \ open]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ directory \ shell]
@ = "NONE"

[-HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ directory \ shell \ cmde]

[-HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ directory \ shell \ open]

3. display system files, hidden files, and hidden folders

Quote:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced]
"Hidden" = DWORD: 00000001
"Hidefileext" = DWORD: 00000000
"Showsuperhidden" = DWORD: 00000001

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ nohidden]
"Regpath" = "SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
"Checkedvalue" = DWORD: 00000002
"Valuename" = "hidden"
"Defaultvalue" = DWORD: 00000002

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ showall]
"Regpath" = "SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced"
"Checkedvalue" = DWORD: 00000001
"Valuename" = "hidden"
"Defaultvalue" = DWORD: 00000002

Full scan of anti-virus software

Use a third-party tool to remove hidden folders under each partition, mainly to remove system attributes.