Wednesday, August 4, 2010

"Storm the 1st" Crazy transmitted infections rose sharply to 100 000



After New Year's Day, Rising Through "Cloud security" system data analysis, online recently popular "Storm One" (Worm.Script.VBS.Autorun.be) infection continues to increase, January 1 to 3 period, a total of 50,000 infected computers, and the growth rate is still accelerating. According to reports, the computer will be infected with the virus appears unusually slow pace, all the normal folder is hidden, pop-up drive was timed, and with the skull image lock the user's computer screen and so on. If the user is infected you can use full-featured security software completely Rising killing the virus, in order to restore normal operation of computer systems.

"Storm," is "Seven"

"Storm I" is different from the current mainstream HIV virus, without Daohao, download the trojan acts and other common viruses. Rising anti-virus engineers will introduce its "Seven":

1, the virus will automatically be deformed, encryption, decryption, so each time you run, the virus changes the document thoroughly, to avoid killing anti-virus software.

2, Autorun way through, allowing users to automatically run the virus opens the disk, and modify the normal system files.

3, the virus file attached in the normal system file, modify the registry, in order to achieve their own hide.

4, hide the computer all folders, and generate a shortcut, when the user opens, it will mistakenly think that is normal, but the virus has been run.

5, whenever the system date in the month and day are equal (eg, 2 February), optical drive, the virus automatically pop up.

6, the virus will use the next graph skeleton picture lock your computer screen so the user can not operate.

7 Finally, the computer allows users to run after infection rate becomes very slow and can not operate normally.

According to Rising "Cloud security" system, statistics show that the storm on the 1st virus was found as early as last October, the first mutation of the virus is Worm.Script.VBS.Autorun.bc, but has no major outbreak, two months a total of more than 40,000 cases of poisoning users. Entered after 2010, rapid growth in infection and 3 days infection 5 million subscribers, making it the fastest-growing stage destructive virus.

What is "Storm I"

This is a VBS scripting, and self-deformation by means of encryption and transmission through U disk malicious worm.

"Storm One," what harm

1, since the deformation

Virus was first through the implementation of strreverse () function to obtain the decryption function of the virus






Decryption code:






This code will read the comments part of the script file, after its decryption






After decryption run a virus, the virus will re-generate keys, encrypt the virus code is then the self-replicating.

So after each time you run the virus, its file content and viruses before running completely different.

2, self-replicating

Virus traverses every disk to the root directory and write Autorun.inf. Vbs file, when the user double-clicks to open the disk, it will trigger the virus file, get it to run.

Wscript.exe virus will copy the system to C: WindowsSystemsvchost.exe

If it is FAT format, virus will copy itself to C: WindowsSystem32, the file name is random number.

If it is NTFS format, the virus will flow through the NTFS file the way, be attached to the following file.

C: Windowsexplorer.exe

C: WindowsSystem32smss.exe






3, change the registry

The virus will modify the following registry key, key point of its virus files. When the user runs the inf, bat, cmd, reg, chm, hlp type of file, open Internet Explorer, or double-click the My Computer icon, it will trigger the virus file, get it to run.






The virus will modify the following registry key for the folder options to "Show hidden files" option is invalid.






The virus will delete the following key to the shortcut icon on the small arrow superimposed






Disappear.






The virus will modify the following registry key, open the properties of all disk automatically.






The virus will modify the following keys, so the virus can boot from the start.






4, Traverse Folder

Recursively traverse the virus each disk folder, when the traverse to the folder, the folder will be set to "Hidden + System + read-only" attribute. At the same time create a shortcut, the target point to vbs script, parameters point to a hidden folder by the virus.

Because the virus will modify the registry to view hidden files option is invalid shortcut icon will shield the small arrow, and therefore have a very confused type, so that the user is a mistake to open the folder.

5, turn off pop-up drive

Whenever the system date in the month and day of equal time (say 1 January, 2 February ... ... and so on), the virus is active, will be every 10 seconds to open and close the drive. Open the drive frequency of the current month to decide (as on January 1, each time the virus activated, will open and close the CD-ROM 1; February 2, each activation of a virus, will open and close the CD-ROM 2).

6, will call mstha.exe displays the following picture, and lock the computer, so users can not operate.

Virus running, will lock the computer screen skull image

7, ergodic process, if found regedit.exe, taskmgr.exe and other process, call the ntsd command on the end of the process, so that users can not open the registry editor and task manager and some basic system utilities.

In the end how the virus does

First use of tools, all wscript.exe and end off the path in C: windowssystemsvchost.exe process.

Run "regedit", open the Registry Editor, locate the "HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsload", view its content to point the path. In the command line, run the del command to delete the script file.

Use the NTFS file stream tools, delete attached files explorer.exe and smss.exe flow.

Use the file association fix, repair virus modified file association.

Remove the root directory of each disk and the vbs file autorun.inf.

In view of this virus to create the virus file, the path from the start the way there are quite complex, it is recommended to use Rising Antivirus software automatically killing.







Recommended links:



BPR get to the root



Ts File Extension



Unicom frankly difficult to govern without legal constraint SP is critical violations



My Performance gone?



Fireworks ring filter TO create Bright



Zhongguancun Business will have been cleaned up and returned rectifying Zanji



How to obtain the state of flip



comments Trace And Ping Tools



What Is A Vob File



Fireworks produced hidden color PHOTO



Flac to aac



EMC announced that Miss Yip pure novice to SUCCEED President, Greater China



Ulead SmartSaver Pro 3.0 Cheats bit OF communication (12)



Msvideo



Expert Icon Tools



No comments:

Post a Comment