Virus Name: Backdoor.Win32.Small.oo Virus type: Backdoor File MD5: 439F062FCAFC7F6E1EA2ACA83C9E960A Open range: a fully open Hazard Rating: 4 File size: 15,872 bytes Infected with system: Windows98 or later Development Tools: Microsoft Visual C + + 6.0
Translated by Google
Virus Description
The zombie virus type back door, run the virus copies of the virus obtained after the title of the document itself to% System32% directory (the virus name change), call the API function to create virus service and write to the registry, create a viral process, access to environment variables are virus path, use the CMD command to remove the virus itself, connecting to the specified IP address waiting to receive control commands sent by the controller, infected users may be manipulated to Ddos attack, remote control, sending spam, create local Tftp, download virus documents and other acts, the network can cause severe paralysis.
Translated by Google
Behavior Analysis
Local behavior 1, the file will release the following files to run % System32% of the original virus file name. Exe 15,872 bytes 2, create the registry key virus services [HKEY_LOCAL_MACHINESYSTEMControl_Set_001ServicesWindowsRemote] Registry Value: "Description" Type: REG_SZ " Value: string: "Network Connections Management" Description: Virus Service Description [HKEY_LOCAL_MACHINESYSTEMControl_Set_001ServicesWindowsRemote] Registry values: "DisplayName" Type: REG_SZ Value: string: "Windows Accounts Driver" Description: The virus service name [HKEY_LOCAL_MACHINESYSTEMControl_Set_001ServicesWindowsRemote] Registry value: "ImagePath" Type: REG_SZ Value: String: "C: WINDOWSSystem32 of the original virus file name. Exe." Description: Service startup path of image file [HKEY_LOCAL_MACHINESYSTEMControl_Set_001ServicesWindowsRemote] Registry Value: "Start" Type: REG_SZ Value: "DWORD: 2 (0x2)" Description: The service is started manually [HKEY_LOCAL_MACHINESYSTEMControl_Set_001ServicesWindowsRemote] Registry Value: "Type" Type: REG_SZ Value: "DWORD: 16 (0x10)" Description: Type of Service 3, access to the path environment variable to get the virus, using the CMD command to remove the virus itself, connecting to the specified IP address: 121.15.247 .** waiting to receive control commands sent by the controller. Network behavior Protocol: TCP Port: 1801 IP address: 121.15.247 .** Description: Connect to the IP address of waiting to receive control commands sent by the virus of Note:% System32% is a variable path. Virus by querying the operating system to determine the location of the current System folder. % Windir% WINDODWS directory % DriveLetter% logical drive root directory % ProgramFiles% system program the default installation directory % HomeDrive% current boot partition where the system % Documents and _Set_tings% the document root of the current user % Temp% Documents and _Set_tings Current user Local _Set_tingsTemp % System32% System32 folder system Windows2000/NT in the default installation path is C: WinntSystem32 windows95/98/me in the default installation path is C: WindowsSystem windowsXP in the default installation path is C: WindowsSystem32
Translated by Google
Clear solution
1, the use of security-day defense can remove this virus (recommended). 2, manual removal, please _delete_ the corresponding file in accordance with behavior analysis and restore the relevant system _set_tings. (1) process management using ATOOL the end of the original virus file name. Exe process. (2) forcibly remove the virus file % System32% of the original virus file name. Exe (3) remove the service registry key virus [HKEY_LOCAL_MACHINESYSTEMControl_Set_001Services] Registry Value: "WindowsRemote" _Delete_ all keys under WindowsRemote key