Tiannong announced NIMDA virus hazards and new programs
-------------------------------------------------- ------------------------------ http://www.sina.com.cn September 20, 2001 12:54 Sina Technology Tianwang provides manuscript
On September 19, the US and Japanese computer experts claim that a computer virus that is extremely destructive is rapidly spreading through the Internet. Household and commercial computers may infect this virus, and their destructive power is far more than "Red Code" just fought for some time. To this end, FBI has already forms a specialized force to deal with Nimda virus viruses to prevent greater losses from the virus.
China National Computer Virus Emergency Response Center said that more than 100 computers in Beijing, Shenzhen and Anhui and other places have infected NIMDA virus virus. From the current situation, the machine infected with the virus in China is afraid far less than only more than one hundred, because on the day before, on September 18, Tianwang Safety Laboratory has received the user report, yesterday, Tianwang Technical Support Department received hundreds of phones and thousands of mails about NIMDA virus viruses. Therefore, the Tianwang Safety Laboratory urgently launched the manual clearance and immunization plan of the NiMDA virus virus. On the one hand, the majority of computer users avoid the loss of NIMDA virus viruses, and on the other hand, reduce the working pressure of the Tianwang Technical Support.
NIMDA virus hazard
After the Nimda virus virus broke out, many users are very concerned that this is said to cause a larger loss than "red code" to cause more damage to the infected computer system. From the current perspective, it is only self-replication and propagation for the vulnerability of the computer system, which greatly reduces the speed of computer operation and causes network blocking, and does not have malignant damage such as file operations, such as file operations. However, Tianwang Safety Lab security experts pointed out that users don't take light damage because of the NIMDA virus viruses, NIMDA virus viruses may be more serious damage to the infected computer system, such as destruction documents. System, delete, modify, or transmit user files, etc.
At present, the NIMDA virus virus may cause direct loss to the user that it is completely shared by the C disk of the infectious computer, which may cause user files to be utilized by malicious attackers and being copied, deleted, modified, and even format hard drives, etc. Wait.
The destructive power of NIMDA virus may still be in an incubation period, once it broke out or viruse variants, it is possible to cause more losses than "red code" and "sircam" virus, because NIMDA virus virus spread and replication capabilities are much higher than this Two viruses. Tianwang Security Lab is underway to analyze the original code of NIMDA virus viruses to reveal the potential damage capabilities of NIMDA virus virus in advance to avoid greater losses to the majority of computer users.
Nimda viruses were first discovered by several companies in Silicon Valley. Based on the current survey and assessment, there is no evidence that this virus attack is related to the attack of terrorists last week. However, compared with the red code virus in July, the consequences of this attack may be much more serious. Speaking of the origin of the virus, the intrinsic taste is that Nimda's name is not allowed to make people think about it, and it is the usual shorthand of the system administrator. Some people speculate it in accordance with the content of the virus that it may come from China; some people pointed out that Nimda is the name of an Israel defense contractor, but this connection is too far away.
NIMDA virus hazard transmission method
There are several ways to spread the NIMDA virus virus, and the hazard is that all of the IE or IIS's vulnerability is unknown on the user system. Tianwang Safety Laboratory experts pointed out that its infection is similar to the red code that causes billions of dollars in the front shortcomings, but its communication speed will be greatly faster than the red code, the reason is that the red code is only for IIS5.0 And there are machines that are vulnerabilities, generally equipped with IIS5.0 machines are servers, and generally personal users are small, so most of the individual users can avoid red code infection. NIMDA virus viruses can spread mail and use IE vulnerabilities to automate viruses after users' browsing. At the same time, Tianwang Safety Laboratory experts also pointed out that there are many ways to spread the NIMDA virus virus, which can be flexibly selected for different computer systems, and there are three ways, one is transmitted by email, the second is that the attack is not high. The server, the third is the attack floppy drive. NIMDA virus clearance and immunization plan
Handmade cleaning method for Windows NT / 2000 / XP
1. End the process in which the process name is "xxx.tmp.exe", "loading.exe" (XXX is any file name)
2. Delete files with file length 57344 in the system TEMP folder
3. Delete the Riched20.dll file with the length of 57344 bytes in the system system folder and load.exe
4, open the System.ini file, if there is a line "shell = expenery.exe loading.exe -dontrunold" in [LOAD], change it to "shell = explorer.exe"
5. Look for the admin.dll file in the root directory of the hard disk. If you exist in the root directory, remove it.
6, open "Control Panel | User and Password", delete the guest account in the Administrator group
7, cancel the full share of the C disk
8, search the entire hard drive, delete all readme.eml files, then before you immunize the system, please do not click any readme.eml file, select all readme.eml files, delete, If you click on a single readme.eml file, the NIMDA virus virus will use your system vulnerability to re-run.
Win9X / ME manual cleaning method
1. Restart the operating system into security mode
2. Delete files with file length 57344 in the system TEMP folder
3. Delete the Riched20.dll file with the length of 57344 bytes in the system system folder and load.exe
4, open the System.ini file, if there is a line "shell = expenery.exe loading.exe -dontrunold" in [LOAD], change it to "shell = explorer.exe"
5, cancel the complete share of the C disk
6, search the entire hard drive, delete all readme.eml files, then do not click any readme.eml file before you don't have an immunoassay to the system, select all readme.eml files, delete, remove it with Ctrl A. If you click on a single readme.eml file, the NIMDA virus virus will use your system vulnerability to re-run.
Although you have cleared Nimda virus viruses, if you don't immunize your system, you will soon be attacked by new Nimda virus virus, because Nimda virus viruses are very strong, so only yours. There is also a vulnerability, you are very likely to re-infect Nimda virus virus, so Tianwang Security Lab has introduced NIMDA virus virus immunity program:
1, put on Microsoft's official patch SP2
Microsoft has made a "10th big supplement" patch on the vulnerability discovered by Windows2000 system, which can make up for most of the Win2000 vulnerabilities. SP2 is about 100m, you can download: http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
This patch is probably impossible to most users, and the download of 100M is too slow.
2, use the hot version of the Tianwang personal version of the firewall
In Tianwang Personal Edition firewall, a Tianwang security detection fix system including IE vulnerabilities can be checked out of Windows, which is a serious system vulnerability in Windows, and automatically fix it. The vulnerability detection and repair system belled in the current Tianwang Personal Edition (Test Edition) has been able to check and repair the NIMDA virus virus to infect and spread IE vulnerabilities, so it is not possible for protecting NIMDA virus viruses. Many waypiece. After the system of vulnerability detection and repair system repair, NIMDA virus cannot be automatically running directly on the user's machine.
Download address of Tianwang firewall: www.sky.net.cn
It is also recommended to delete the WSH (Windows Scripting Host) function to prevent damage to such viruses.
The steps are:
"Start" -> Settings "->" Control Silver "-> Add Delete Program ->" Windows Square "->" Attachment "," Windows Scripting Host "in" Components " Space 1.1MB), remove the selection, select "OK", but this may affect some functions.
For personal users, the vulnerability detection and repair of the Sundianet personal version of the firewall can be immunized by the immunization of Readme.eml, in repairing the vulnerability, this virus can not run automatically, it will pop up the window, then you don't run it. It can avoid infringement. But for the server, some operations are needed.
The Tianwang Safety Laboratory is paying close attention to Nimda virus viruses, and reminds users to quickly repair their system vulnerabilities to avoid invasive invasion to NIMDA virus viruses. The Tianwang security line has been prepared for the prevention and treatment of NIMDA virus virus. Users can log in to the Tianwang security front (www.sky.net.cn) to find more solutions to more NIMDA virus viruses.