After New Year's Day, Rising Through "Cloud security" system data analysis, online recently popular "Storm One" (Worm.Script.VBS.Autorun.be) infection continues to increase, January 1 to 3 period, a total of 50,000 infected computers, and the growth rate is still accelerating. According to reports, the computer will be infected with the virus appears unusually slow pace, all the normal folder is hidden, pop-up drive was timed, and with the skull image lock the user's computer screen and so on. If the user is infected you can use full-featured security software completely Rising killing the virus, in order to restore normal operation of computer systems.
"Storm," is "Seven"
"Storm I" is different from the current mainstream HIV virus, without Daohao, download the trojan acts and other common viruses. Rising anti-virus engineers will introduce its "Seven":
1, the virus will automatically be deformed, encryption, decryption, so each time you run, the virus changes the document thoroughly, to avoid killing anti-virus software.
2, Autorun way through, allowing users to automatically run the virus opens the disk, and modify the normal system files.
3, the virus file attached in the normal system file, modify the registry, in order to achieve their own hide.
4, hide the computer all folders, and generate a shortcut, when the user opens, it will mistakenly think that is normal, but the virus has been run.
5, whenever the system date in the month and day are equal (eg, 2 February), optical drive, the virus automatically pop up.
6, the virus will use the next graph skeleton picture lock your computer screen so the user can not operate.
7 Finally, the computer allows users to run after infection rate becomes very slow and can not operate normally.
According to Rising "Cloud security" system, statistics show that the storm on the 1st virus was found as early as last October, the first mutation of the virus is Worm.Script.VBS.Autorun.bc, but has no major outbreak, two months a total of more than 40,000 cases of poisoning users. Entered after 2010, rapid growth in infection and 3 days infection 5 million subscribers, making it the fastest-growing stage destructive virus.
What is "Storm I"
This is a VBS scripting, and self-deformation by means of encryption and transmission through U disk malicious worm.
"Storm One," what harm
1, since the deformation
Virus was first through the implementation of strreverse () function to obtain the decryption function of the virus
Decryption code:
This code will read the comments part of the script file, after its decryption
After decryption run a virus, the virus will re-generate keys, encrypt the virus code is then the self-replicating.
So after each time you run the virus, its file content and viruses before running completely different.
2, self-replicating
Virus traverses every disk to the root directory and write Autorun.inf. Vbs file, when the user double-clicks to open the disk, it will trigger the virus file, get it to run.
Wscript.exe virus will copy the system to C: WindowsSystemsvchost.exe
If it is FAT format, virus will copy itself to C: WindowsSystem32, the file name is random number.
If it is NTFS format, the virus will flow through the NTFS file the way, be attached to the following file.
C: Windowsexplorer.exe
C: WindowsSystem32smss.exe
3, change the registry
The virus will modify the following registry key, key point of its virus files. When the user runs the inf, bat, cmd, reg, chm, hlp type of file, open Internet Explorer, or double-click the My Computer icon, it will trigger the virus file, get it to run.
The virus will modify the following registry key for the folder options to "Show hidden files" option is invalid.
The virus will delete the following key to the shortcut icon on the small arrow superimposed
Disappear.
The virus will modify the following registry key, open the properties of all disk automatically.
The virus will modify the following keys, so the virus can boot from the start.
4, Traverse Folder
Recursively traverse the virus each disk folder, when the traverse to the folder, the folder will be set to "Hidden + System + read-only" attribute. At the same time create a shortcut, the target point to vbs script, parameters point to a hidden folder by the virus.
Because the virus will modify the registry to view hidden files option is invalid shortcut icon will shield the small arrow, and therefore have a very confused type, so that the user is a mistake to open the folder.
5, turn off pop-up drive
Whenever the system date in the month and day of equal time (say 1 January, 2 February ... ... and so on), the virus is active, will be every 10 seconds to open and close the drive. Open the drive frequency of the current month to decide (as on January 1, each time the virus activated, will open and close the CD-ROM 1; February 2, each activation of a virus, will open and close the CD-ROM 2).
6, will call mstha.exe displays the following picture, and lock the computer, so users can not operate.
Virus running, will lock the computer screen skull image
7, ergodic process, if found regedit.exe, taskmgr.exe and other process, call the ntsd command on the end of the process, so that users can not open the registry editor and task manager and some basic system utilities.
In the end how the virus does
First use of tools, all wscript.exe and end off the path in C: windowssystemsvchost.exe process.
Run "regedit", open the Registry Editor, locate the "HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsload", view its content to point the path. In the command line, run the del command to delete the script file.
Use the NTFS file stream tools, delete attached files explorer.exe and smss.exe flow.
Use the file association fix, repair virus modified file association.
Remove the root directory of each disk and the vbs file autorun.inf.
In view of this virus to create the virus file, the path from the start the way there are quite complex, it is recommended to use Rising Antivirus software automatically killing.
Recommended links:
BPR get to the root
Ts File Extension
Unicom frankly difficult to govern without legal constraint SP is critical violations
My Performance gone?
Fireworks ring filter TO create Bright
Zhongguancun Business will have been cleaned up and returned rectifying Zanji
How to obtain the state of flip
comments Trace And Ping Tools
What Is A Vob File
Fireworks produced hidden color PHOTO
Flac to aac
EMC announced that Miss Yip pure novice to SUCCEED President, Greater China
Ulead SmartSaver Pro 3.0 Cheats bit OF communication (12)
Msvideo
Expert Icon Tools
No comments:
Post a Comment