What: "Panda Burning Incense" is a virus that has the ability to automatically spread, automatically infect hard disks and has powerful destructive capabilities. It can not only infect exe , com , pif , src , html , asp and other files in the system, it can also stop Lots of antivirus software processes and deletes files with the gho extension . Panda burning incense is actually a variant of a worm , and it has been mutated many times.
Author: On October 16, 2006, it was written by Li Jun, a 25-year-old from Xinzhou District, Wuhan, Hubei Province. In early January 2007, it ravaged the Internet, and it was mainly transmitted through downloaded files.
Virus Name: GameSetup.exe
Tool: process monitor
The main function of this software is: monitoring files, registry, process, network access, events.
Environment: Virtual machine Windows XP
Derive spoclsv.exe.
behavior:
1. Copy yourself to the system directory
2. Create a startup item
3. Generate virus copies in the root directory of each partition
4. Use the net share command to close the administrative share
5. Modify the display all files and folders settings
6. Try turning off antivirus software
7. Analyze the registry first
8. Traverse the directory to modify webpage files such as htm/html/asp/php/jsp/aspx, and append information at the end of these files
9. Generate the Desktop_.ini file in the visited directory, the content is the current date
10. Attempt to delete GHO files
它HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
The \Hidden path sets the key value to hide the spoclsv.exe file.
It creates virus files in the root directory of each disk.
Attempt to establish a connection to another host in the LAN.
All are the names of some common antivirus software, such as kav (Kaspersky).
