Source: http: //www.eviloctal.com/forum/ author: sunlion [EST] Publisher: Sunlion [EST] [Original] a preliminary study about the origin of the virus lee: EST http://www.eviloctal.com author: sunlion (blood dance) a few days ago, the computer had a virus, it can be said that a hacker software, backdoor Trojans, because no big impact on computer poisoning (if not the invasion of others, too); since a few days ago has been busy Course design, no time to pay, today, I will pay out, take it out; first, look at the characteristics of the virus: the computer of the Chinese virus will add a Lee user (password does not tell everyone), and add Lee to In the Administrators group; there will be four files in the more directory of each disk (the user can not see if the user can change the computer settings to display all files, and these four files cannot be seen): admin .bat; autorun.inf; system32.exe; system32dll.dll; before I said, even if you set the system to display all files, the four files cannot be seen, then how do I see them! I ended the software, I used the cuteftp software, he can see all the files on the disk, as long as you see it with the cuteftp software, you can use it to use it to remove the virus one one one one one! Other software I estimate, such as ACDSEE browsing features! Now let everyone see two pairs: Everyone sees, now I can't see it under the G disc, and I have set the system to display so file ;; But under cuteftp, we can see these four Document: Everyone saw that there was no, in the small window on the left, the display is the four files under my g! Ok, if you want to check, you can also check the following your system according to my skill! Below we will conduct some simple analysis: A: Let's take a look at this autorun.inf file; right click on this file in cuteftp, choose to view, you will see this window: His all code is as follows: [Autorun] open = system32 .exe, there is a bit of people here, I don't understand! In order to take care of most readers, the author writes it in detail: Let's take a look at the Autorun.inf start-up method Autorun.inf. This identity may have seen it. This most often appeared in the disc and used for self-start. Each time the disc is placed in the optical drive, the system will determine whether the disc is automatically started. But have you ever thought that this file can also be used from starting some files! Autorun.inf's content is usually: [Autorun] open = file.exe icon = icon.ico Open is the name of the executable of the executable that is inserted into the disc or double-click the disc drive. ICON is an icon file for the optical drive driver. This file can be other files. Such as: [autorun] open = file.exe icon = icon.exe, 2 where icon.exe is an executable file with icon files, ", 2" is the third icon in this file.
