Current location - Education and Training Encyclopedia - University ranking - The virus that broke out in winter vacation
The virus that broke out in winter vacation
0 worm. WhBoy.h bug panda burns incense.

This is an infectious worm virus, which can infect files such as exe, com, pif, src, html and asp in the system.

It can also stop a lot of anti-virus software processes.

1: copy file

After the virus runs, it will copy itself to.

c:\ WINDOWS \ System32 \ Drivers \ spoclsv . exe

2: Add Registry Boot

The virus will add a self-startup item.

HKEY _ Current User \ Software \ Microsoft \ Windows \ Current Version \ Running

SVC share-& gt; c:\ WINDOWS \ System32 \ Drivers \ spoclsv . exe

3. Virus behavior

A: Every 1 second.

Locate the desktop window and close the program with the following characters in the window title.

QQKav

QQAV

firewall

process

Virus scanning

Netdart

disinfect

Duba

rising antivirus software

Jiang Min

Huangshan IE

super rabbit

Master of optimization

Trojan horse trainer

Troy sweeper

QQ virus

Registry editor

Microsoft system configuration

Kaspersky anti-virus software

Symantec antivirus software

Duba

Respect process

Lvying computer

Password anti-theft

bacteriophage

Troy auxiliary viewfinder

System security monitor

Packaging gifts Heizai

Winsock expert

Trojan horse testing master

msctls_statusbar32

Pjf (University of Science and Technology of China)

Ice sword

And use the keyboard mapping method to close the security software IceSword.

Add a registry to start yourself.

HKEY _ Current User \ Software \ Microsoft \ Windows \ Current Version \ Running

SVC share-& gt; c:\ WINDOWS \ System32 \ Drivers \ spoclsv . exe

And stop the following processes in the system:

Mcshield.exe

VsTskMgr.exe

naPrdMgr.exe

UpdaterUI.exe

TBMon.exe

scan32.exe

Ravmond.exe

CCenter.exe

RavTask.exe

Rav.exe

Ravmon.exe

RavmonD.exe

RavStub.exe

KVXP.kxp

kvMonXP.kxp

KVCenter.kxp

KVSrvXP.exe

KRegEx.exe

UIHost.exe

TrojDie.kxp

FrogAgent.exe

Logo 1_。 Extensions of executable programs

Logo_ 1.exe

Rundl 132.exe

B: Every 18 seconds.

Click on the webpage designated by the virus author and check whether there is * * * enjoyment in the system with the command line.

* * * exists, then run the net share command to close the admin$***.

C: Every 10 second.

Download the file specified by the virus author and check whether there is * * * enjoyment in the system with the command line.

* * * exists, then run the net share command to close the admin$***.

Every 6 seconds.

Delete the key value of security software in the registry.

HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \Run

RavTask

KvMonXP

kav

Kav individual 50

McAfeeUpdaterUI

Network Associates error reporting service

ShStartEXE

YLive.exe

Yasis

And modify the following values to not show hidden files.

HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows \ current version \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL

Check value->; 0x00

Delete the following services:

navapsvc

wscsvc

KPfwSvc

SNDSrvc

ccProxy

ccEvtMgr

ccSetMgr

SPBBCSvc

Symantec core LC

NPFMntor

MskService

FireSvc

E: infected files

Viruses can infect files with extensions such as exe, pif, com and src, and attach them to the file headers.

And add a web address to the file with the extension of htm, html, ASP, PHP, JSP and aspx.

As soon as the user opens the file, IE will click on the written URL in the background to realize it.

The purpose of increasing the number of clicks, but the virus will not infect files in the following folder names:

window

Winnt

System volume information

reutilization

Windows operating system

WindowsUpdate

Windows media player

Outlook Express

Web browser produced by Microsoft.

Network conference system

Public document

ComPlus application

Messenger; messenger

InstallShield installation information

Microsoft network

Microsoft Frontpage

film-maker

MSN game area

G: delete files

The virus will delete the file with the extension gho, which is a backup file of GHOST, a system backup tool.

The user's system backup file is lost.

1 Win32。 Troj.Nilage.g Trojan horse

Win32.lunhui.a Win32 virus

Win32.troj. Jozaz. b Blackmailer Trojan Horse

4 Win32。 Nemsi.a Nim Win32 virus

5 Win32。 Troj.AdSetup.dx Trojan horse.

This is an infected virus. Files infected by this virus will try to open the designated website and penetrate the firewall, causing great harm.

1. Create mutually exclusive variables:

" LiveUpdateMutex "

2. Traverse the process, search the explorer.exe process, and inject the code. The injected code will monitor the iexplore.exe process in the process, and if found, it will be injected into the iexplore.exe process again.

Then connect to the specified URL.

6 Win32。 Hack.EggDrop.v hacker program

7 Win32。 Troj.Maran.bo Trojan horse

8 Win32。 Troj.Dropper.m Trojan horse

9 Win32。 Hack.AgoBot.d hacker program

10win32.troj.downloader.f Trojan horse

Troy, 8757.com

12 win32.fics.aw32 virus

Related articles
  • 20 points, which universities and specialties in Yanjiao are acceptable,
  • Where is the location of Harmony Road Substation in Xincheng, East of Lu 'an?
  • Is the new interview in linux lab of Xi University of Posts and Telecommunications difficult?
  • Is it convenient to park near Tan Kah Kee College of Xiamen University?
  • Simply understand what statistical thinking is.
  • Admission scores of West China University of Medical Sciences
  • What subjects does the postgraduate entrance examination for software engineering major take?
  • What are the vivid examples of campus tragedies caused by unhealthy personality and psychology?
  • Four female college students set off from Nanjing to Qingdao for two or three days.
  • What kind of mobile phone should college students buy?

    • copyright 2024 Education and Training Encyclopedia All rights reserved