virus Name: trojan-Dropper.Win32.Ekafod.x

Risk level: Medium

Virus Description

The virus disguised as a folder icon and Hide extension to confuse users, the virus primarily spread through the “file bundle”, “download tool to download”, “web page linked to horse”, etc., the viruses main purpose is to release the virus into the computer to run, the user Computer occurs after the system is running Slow, unknown process.

Infection in the operating system
Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tool

Manually removal

1, manually delete the following files:
% Systemroot% \ System32 \ wicy111.dll
% Systemroot% \ System32 \ tt_b_2.dll
% Systemroot% \ System32 \ lockdrv.sys
2, manually delete the following Registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lockdrv.sys
3, manually modify the following registry key:
Modify the HKEY_CLASSES_ROOT \ CLSID \ {871C5380-42A0-1069-A2EA-08002B30309D} \ shell \ OpenHomePage \ Command
Name:
Data: C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Analysis of the virus

(1), find the existence of a computer “virus is the current directory \ virus name” (without the exe extension) directory, if it exists, that exists in the current directory and name of this virus in the same directory name, use Explorer to open. If you do not exist, set the registry key HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced the corresponding key, hide file extensions, do not show hidden files and system protected files, so as to achieve the effect of the virus itself hidden.
(2), open the registry key HKEY_CLASSES_ROOT \ CLSID \ {871C5380-42A0-1069-A2EA-08002B30309D} \ shell \ OpenHomePage \ Command, change the default key is “C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE http : / / www.488 **. cn “.
(3), to find whether there is% Systemroot% \ System32 \ wicy111.dll and% Systemroot% \ System32 \ tt_b_2.dll, if not then create two files, and write corresponding data to create processes were up by running the command regsvr32 These two dll files.
(4), create% Systemroot% \ System32 \ lockdrv.sys, and writes the data to determine whether there lockdrv.sys service, if not then create the appropriate services for this file (the service-driven process, the type of service, services. msc query not only view in the registry), and create a corresponding service registry key HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lockdrv.sys, then start the service.
(5), in the current directory to create a batch virus program 375519961057540.bat, and inside write a batch command. Run this command to delete the virus file and the batch process.
(6), loaded to run% Systemroot% \ System32 \ wicy111.dll, in the registry key HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ SharedTaskScheduler key items created {C4560D12-CE25-4A2E-A5D4-B5070FCBE282} , the value csiddll.
(7), check whether the computer can access the Internet if you can, will and http://www.renren125 **. com / MainDll / SoftSize.asp a link. Download Trojan virus to the local operation.

Virus to create  files:

% Systemroot% \ System32 \ wicy111.dll
% Systemroot% \ System32 \ tt_b_2.dll
% Systemroot% \ System32 \ lockdrv.sys
Virus current directory \ 375519961057540.bat