virus Name: backdoor.Win32.Yoddos.cc

Risk level: Medium

Virus Description

The virus is mainly through the “file bundle”, “download tool to download”, “web page linked to horse”, etc. to spread, the viruses is designed to control the user’s computer, the user’s computer virus, the computer will appear to run Slow, Unknown process and so on.

Infection in the operating system
Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual Solution:

1, manually delete the following files:
Manually delete the% Systemroot% \ system32 \ winhelp32.exe,
% SystemDriver% \ 2.exe

2, manually delete the following Registry key:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ WinHelp32 service items

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Analysis of the virus

(1), check whether there kmon.dll (Rising card), if the release of the dll module.
(2), compared with its own whether the% Systemroot% \ system32 \ svchost.exe, if not to compare themselves whether the% Systemroot% \ system32 \ winhelp32.exe, if not, copies itself to% Systemroot% \ system32 \ winhelp32.exe , and set the hidden attribute.
(3) try to start the service, if the startup fails, for the% Systemroot% \ system32 \ WinHelp32.exe created called “Windows Help System” service. Corresponding to the service to start the service and create a registry key HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ WinHelp32.
(4), the service starts successfully, create a thread, from hackers to download the file to the specified URL% SystemDriver% \ 2.exe, create a process execution 2.exe.
(5), try to inject svchost.exe, if injected into successful, run the% Systemroot% \ system32 \ winhelp32.exe, then hide the window mode cmd command to delete itself.
(6) to obtain the system version, CPU type and other information to the hacker, resolve IP address of the remote domain, and with the IP to connect, the local machine completely under the control of hackers.

Virus to create a file:

% Systemroot% \ system32 \ winhelp32.exe

Virus to create the registry:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ WinHelp32
Name: ImagePath
Value:% Systemroot% \ system32 \ winhelp32.exe

Virus to access the network:

http://naver .*****. net: 360/index.htm.exe
pay ** 1.3322.org