Nima is a mail-type virus, exists in .eml, it uses Outlook vulnerabilities, when you click (click) When you use the poison email file, the system automatically extracts the Readme in the message when you use Outlook to browse the message. .Exe, readme.exe will generate MEP ****. TMP, MEP ****. TMP.EXE (with hidden properties, appearance is an IE icon in Windows Temp directory, making people think that it is a .html, ). Use the tool to view process information to view the running process, if you find MEP ****. TMP.EXE process should be terminated immediately. For example, the documents generated in my machine are as follows: MEP52A5.TMP, MEP52A5.TMP.EXE is also MEP52A6.TMP.EXE (useless), MEP52A6.TMP. Then MEP52A5.TMP.EXE will be running it will be infected (the specific infection and damage function is being studied, and the blue code is similar).
There is a feature in poison email:
- ==== _ ABC1234567890DEF _ ==== Content-type: audio / x-wav; // Key Name = "readme.exe" key content-transfer-encoding: base64content-id:
The following modifications are found in System.ini:
[boot] shell = Explorer.exe loading.exe -dontrunold
Load.exe (IE icon, property hidden) in the Windows / System directory
If you find that your machine is infected. Defense is as follows (win9x / me): Installing the protective hard disk programs such as: ice shield V (Hard disk protection), file protection master 1.01 (inner hard disk protection card) Wait. Set the virtual memory to other places (as long as the Windows directory is in a drive), set the Internet's temporary files to other places (as long as the Windows directory is on a drive). Run the hard disk protection, select the Windows directory. Drive protection OK. Such a virus will not enter your system, you will safely. (This is just a temporary prevention, the key is to download Outlook patch and the latest anti-virus software)
