Red Alert: Recently, the campus network lovgate virus R / S variant is rampant, easy to check
Conditioned embarrassment
Wake up: Important information is backup in time, anti-probability killing is more effective
Introduction: Lovgate integrity integrity
Theft password program actively theft computer password, spread the LAN, eventually leads to all computers
Users are seriously consequences such as virus control, network paralysis, information leaks.
First, virus information
Name: w32/lovgate.r@m Discovery Date: 3/22/2004 Size: 97,280 byte Savation Way: Email Communication Network propagation path: LOVGATE virus new variant, search for neighboring IP shared directories through 445 ports, the password is weak, the Media directory is successfully shared, start the NetManager.exe remote manager, and do the server to continue searching near IP, fast spread.
Second, when the virus is executed, the following documents are generated:
% System% / hxdef.exe% system% / ipplore.exe% system% / winhelp.exe% system% / netmeeting.exe (61,440 bytes)% system% / spollsv.exe (61,440 bytes)% sysdir% / ipplore.exe % Sysdir% / kernel66.dll% sysdir% / ravmond.exe% windir% / system / msjdbc11.dll% sysdir% / mssign30.dll% sysdir% / odbc16.dll% system% / lmmib20.dllc: /Command.exe (added to autorun.inf file, automatically switch when you double-click disk)
Third, generate a suffix COM, EXE, PIF, SCR virus files in each disk root directory, and the common name is as follows:
PassbakpasswordemailbookletterImportant
Fourth, change the registry, automatically load the run virus program when the machine starts
HKEY_CURRENT_USER / SOFTWARE / Microsoft / WindowsNT / CurrentVersion / Windows "run" = ravmond.exe
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run "Program in
Windows "=% sysdir% / ipplore.exe
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Runservices "SystemTra" =% WINDIR% / SYSTRA.EXE
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run "VFW Encoder / Decoder Settings" = rundll32.exe mssign30.dll ONDLL_REG
One of the last lines, serving the lattice of the virus.
V. Automatically generate and load three services
1, Display name: _regImagePath: Rundll32.exe msjdbc11.dll ondll_serverStartup: automaticHKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Services / _reg Description: The back door service provided 2, Display name: Windows Management Protocol v.0 (experimental) ImagePath: Rundll32.exe msjdbc11. DLL ONDLL_SERVERSTARTUP: Automatic Description: Advanced Server, Perform Planning Scan LAN. HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / Windows
3, Display Name: Windows Management Network Service ExtensionsImagePath: NetManager.exe -exe_StartStartup: Automatic Description: Provides backdoor service for remote management programs.
Sixth, due to the virus automatically detects the process, if it is found to be closed, the virus process will continue. And inserted
Threads to Explorer.exe or Taskmgr.exe, there is almost no way to manually close the virus process.
7. The virus creates file autorun.inf, as well as command.com or Command.exe disease in each disk partition.
Poison file. When double-click the disk, the system will call Command.com/exe virus according to the indication of the autorun.inf file.
File, the result is that the disk partition cannot be opened. Right click can open.
Eight, viruses detect moving disks, network mapping disks, and disks that have exceed E of E. If you find an EXE file,
The virus will rename it, the suffix is .zmx, and hide the file. The virus will create the same name of the EXE file, 125K, for the disease
Poison.
Nine, automatically delete some anti-virus software. Virus detects some process file names, if discovered related files
Will be deleted. The main judgment file name includes: kvkavdubanavkillravmon.exerfw.exegatemcafeeessymantesskynetrising
Common anti-virus software and firewall have. . . sweat. . . . . . .
Ten, processing method
1. Killing or use the start-up disk DOS under safe mode, at least two times.
Symantec's special killing tool download URL is: http://securityResponse.symantec.com/avcenter/fixlgate.com Rising Killing Tool Download Uxt: http://download.com.rising.com.cn/zsgj/ravlovgate.com
This is .com, will not be renamed, camouflage. . . .
2, EXE will be renamed by virus, re-enter the file directory, display all files, including display suffix, hidden .z
The MX file is changed to .exe file.
3, hard disk partitions cannot double-click to open, display all files, delete autorun.inf. [HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Explorer / MOUN
TPOINTS2] Looking for {digital} items with children in this item of the registry (different machine numbers), the target is the child
There is a ROMREG button such as shell / autorun, the key value is the name of the corresponding drive, deleted the shell child.
Corresponding to the driver can double-click to enter my computer
4, after anti-virus, if the registry fix is incomplete, it may prompt to launch what DLL file will be launched, and you can manually find the registry, delete the relevant registry.
5, turn off disk sharing, set the system user powerful password.
6, make a system patch. Don't ask me anything, every security patch has its value. Don't want to recruit again
Done all :)
7, small suggestion: Be careful to open an email. I am afraid ~~~~~ If the letter is very frequent, it is recommended to automatically kill virus functions at www.hotmail.com ========================= === D, E, F, G disk (if any) Double-click to open directly, saying that Windows can't find the command.exe file, require positioning of the file, positioning it is c: / windows / expensive, every time you open a message "/ StartExplorer" error, then you can still open the drive folder. The virus writes an autorun.inf file below for each of your drives: Open = "x: /command.exe" / startexplorer x is the drive letter, if you don't have anti-virus, each time you open / d / E / F / G drives will activate virus Rising compares to help you get this problem (even if it is upgraded to the latest version, the Rising website is also unable to solve, and there is no relevant instructions), and it is necessary to handle it. The solution is as follows (Taking D disk as an example): =================== Start running CMD (Open Command Prompt) D: DIR / A (no parameter A is watching Unfil, A is what to show all) At this point you will find an autorun.inf file, about 49 bytes Attributeun.inf -s -h -r removes the system, read-only, hidden properties of Autorun.inf files. Otherwise, Del Autorun.inf can't be deleted is not finished here, because you have doubled the D disk tray did not open but get an error. Requires positioning command.exe, this time the information is running automatically has been added to the registration form. The following clears the registry related information: Start running regedit Edit Find command.exe found the first one is the automatic run of the D disk, delete the entire shell child button, double click the D disk, is it okay?
