Worm "Eni" Situation analysis and solution _ Virus killing

National Computer virus Emergency treatment center through the monitoring of the internet found "Eni" complex virus. The virus is capable of transmitting itself through vulnerabilities in Microsoft Windows system ANI (dynamic cursor) file handling, infection with normal executables and local Web page files, sending e-mail, and infecting USB drives and Removable storage media. and infected with the virus, will automatically download the Trojan horse program, causing greater harm.

The worm has a lot of variants, in the short period of time after the rapid spread of infected users difficult to completely clear, to its work to bring a lot of inconvenience.

The worm condition is analyzed as follows:

Virus Name: WORM_MYINFECT.AF

Chinese name: "Eni"

Other Name: I-worm/aniload (jiangmin)

Worm.myinfect (Jinshan)

Worm.dlonlinegames (Rising)

Type of virus: compound

Infection system: Windows 9x/windows me/windows nt/windows 2000/windows xp/windows 2003/windows Vista

Virus characteristics:

1, the production of virus files

After the virus runs, copy itself to the following directory:%sysdir%sysload3.exe

2, modify the registry key

Hkcusoftwaremicrosoftwindowscurrentversionrun "System Boot Check" = "%sysdir%sysload3.exe" In this way, the virus can run automatically with the Windows system startup.

3, the infection system files

It can infect executable files and script files in local disk and network share directories.

1 Infection executable file

Merge infected files and viruses into a single file (infected files are attached to the tail of the virus file) to complete the infection.

2 Script class file

At the end of these script files, add the following note to download the script file, which contains the following code:


The above two picture links take advantage of the ANI vulnerability, the image file contains overflow attack code, so open the above Noindex.js Web page will be poisoned.

4, download the designated URL file

Download Trojan program and virus upgrade program from the specified URL.

5. Spread by email

The virus message features are as follows:

Sender: I_love_cq@sohu.com

Topic: Who did you and who filmed it in the video? I'll give you a laugh!

Body:

Look at your demo! I think you are famous!

You see this address! Your face is so clear! You've become a star! http://****.microfsot.com/***/134952.htm If the user clicks on the page with the virus, it will be infected.

6. Other

Traverse A-Z for all drives, and if the drive creates autorun.inf on the drive for removable Storage, it spreads its purpose. Detect the floppy drive, if present, copy the virus file to the file named Tool.exe, and generate Autorun.inf file, so that the virus can automatically run to propagate itself. Modify Hosts file to screen multiple URLs. Most of these URLs are sites previously used to propagate other viruses.

Workaround:

1, for those who do not suffer from infection, should install the latest operating system patch (KB925902) as soon as possible, and upgrade the anti-virus software of the system in time, and turn on the "real-time monitoring" function of anti-virus software.

2, for the computer users who have been infected with variants, it is recommended to download the killing tools as soon as possible to kill repair work. and install the Microsoft Company's latest operating system patch (KB925902).

Special Kill tool Download link address:

Http://download.jiangmin.info/jmsoft/ANIWormKiller.exe (Jiangmin Company)

Microsoft Related patches Download address:

Http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx

Security recommendations:

1, the local area network computer users try to avoid creating writable shared directories, the shared directory should be created immediately stop sharing.

2, if not necessary, Windows 2000/XP users should try to close the ipc$ share, and to have administrator rights to the account set up a complex password.

3, the timely installation of Microsoft's security update, do not randomly visit the site of unknown origin.

4, computer system installation anti-virus software, and timely upgrade virus definition library.

5, computer users use U disk and other mobile devices to exchange files, you must open the anti-virus software "real-time monitoring" function, or first use anti-virus software scanning, and turn off the automatic playback function.

6, users should be cautious with the operating system provided by default "AutoPlay" function, to prevent the use of mobile storage media in the process of infection. Users can turn off this feature under Superuser privileges by doing the following:

Windows XP Users:

"Start"-> "Run"-> Enter "Gdedit.msc" to determine and open Group Policy;

Turn on: "Computer Configuration"-> "Administrative Templates"-> Click the "System" item;

In the right setting, there is a "turn off AutoPlay" and double hit opens its properties;

Select "Have enabled" in the property box to select all the drives, click "OK";

Again open: "User Configuration"-> "Administrative Templates"-> Click the "System" item;

In the right setting, there is a "turn off AutoPlay" and double click to open the property;

Select "Have enabled" in the property box to select all the drives, click "OK";

You can turn off AutoPlay.

Note: Windows 2000 users open the Group Policy method, "Start"-> "Run"->

Enter MMC-> Click OK, open the console, select Add/Remove snap-in on the Console menu, click Add, select Group Policy-> Add;