virus Name: trojan.Win32.Delux.am
Risk level: Medium

Virus Description

This virus is mainly through the “file bundle”, “download tool to download”, “web page linked to horse”, etc. to spread, the main purpose of the virus is to steal user’s computer information.

Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual Solution:

1. Manually delete the following files
% SystemRoot% \ SYSTEM32 \ fwMonitor.exe
% SystemRoot% \ SYSTEM32 \ DRIVERS \ fwMonitor.sys

2. Manually delete the Registry
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ ZXSoft firewall control service

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Analysis of the Virus:

(1), find the present system have% SystemRoot% \ system32 \ fwMonitor.dlx, if not then create this file and write data.
(2), get the current virus process PID, create a process snapshot, traversal process, the process of matching the current virus PID, if the match is open the current process.
(3), compared with its own whether the% SystemRoot% \ SYSTEM32 \ fwMonitor.exe, if not, try to delete the% SystemRoot% \ SYSTEM32 \ fwMonitor.dll and% SystemRoot% \ SYSTEM32 \ ie.log, if these two files do not exist , create two files, and the release of the virus code into two files you just created, set the hidden attribute. Copy the virus itself was forced% SystemRoot% \ SYSTEM32 \ winload.dll and set the hidden attribute, move% SystemRoot% \ SYSTEM32 \ winload.dll to% SystemRoot% \ SYSTEM32 \ fwMonitor.exe, move% SystemRoot% \ SYSTEM32 \ ie.log to% SystemRoot% \ SYSTEM32 \ DRIVERS \.
(4), create a file called “ZXSoft firewall control service” of the service, start service, and create a corresponding service registry key HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ ZXSoft firewall control service, to create successful delete itself, create a process running fwMonitor . exe.
(5), using Rootkit techniques to hide the virus process, virus source code, released from the dll component and virus-related information, and prevent detection and killing. After running the virus sending computer to the hacker a lot of information, leading to important personal privacy and information disclosure.

Virus to create files:

% SystemRoot% \ SYSTEM32 \ fwMonitor.exe
% SystemRoot% \ SYSTEM32 \ DRIVERS \ fwMonitor.sys

Virus to create the registry:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ ZXSoft firewall control service
Name: Description Data: New Golden Shield firewall.
Name: DisplayName Data: ZXSoft firewall control service
Name: ImagePath Data:% SystemRoot% \ SYSTEM32 \ fwMonitor.exe-u