روش از بین بردن ویروس Win32/Serpip.A
سلام در تاریخ 2012/7/10 یک ویروس منتظر شده به نام Win32/Serpip.A این ویروس خودشو به فایلهای exe می چسبانه و باعث میشه اون فایل انتی ویروس ویرئس بشناسش F:\kes8.1.0.831_wksfswin_en.exe - Win32/Serpip.A virus - cleaned - quarantined و فایل exe را quarantined ببره من تو سایت esat یک مطلب دیدم
[TABLE="class: header"]
[TR]
[TD][h=1]Threat Encyclopaedia[/h][/TD]
[TD="class: links"]Print this page[URL="http://www.eset.eu/buxus/generate_page.php?page_id=320&rp_id=40613"]Send[/URL][/TD]
[/TR]
[/TABLE]
[h=1]Win32/Serpip.A[/h]
[TABLE]
[TR]
[TD] [TABLE]
[TR]
[TD="width: 200"]Aliases:[/TD]
[TD]Worm.Win32.Fipp.a (Kaspersky), Virus:Win32/Morto.A (Microsoft), W32.Morto.B (Symantec), W32/Pift (McAfee) [/TD]
[/TR]
[TR]
[TD="width: 200"]Type of infiltration:[/TD]
[TD]Virus [/TD]
[/TR]
[TR]
[TD="width: 200"]Size:[/TD]
[TD]47 KB [/TD]
[/TR]
[TR]
[TD="width: 200"]Affected platforms:[/TD]
[TD]Microsoft Windows [/TD]
[/TR]
[TR]
[TD="width: 200"]Signature database version:[/TD]
[TD]7286 (20120710) [/TD]
[/TR]
[/TABLE]
[/TD]
[/TR]
[/TABLE]
[h=3]Short description[/h] Win32/Serpip.A is a file infector. [h=3]Installation[/h] When executed, the virus moves the following files (source, destination):
[LIST][*]%system%\wmicuclt.exe, %system%\wmicuclt[/LIST]
The virus creates copies of the following files (source, destination):
[LIST][*]%system%\wscript.exe, %system%\wmicuclt.exe[/LIST]
The virus modifies the following file:
[LIST][*]%system%\wmicuclt.exe[/LIST]
The virus writes the program code of the malware into the file.
The virus registers itself as a system service using the following name:
[LIST][*]Remote Access Connection Service (%system%\wmicuclt.exe)[/LIST]
The following Registry entries are created:
[LIST][*][HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
360rp]
"Start" = 4[*][HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
zhudongfangyu]
"Start" = 4[*][HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
ekrn]
"Start" = 4[/LIST]
The virus creates and runs a new thread with its own program code within the following processes:
[LIST][*]svchost.exe[/LIST]
[h=3]Executable file infection[/h] Win32/Serpip.A is a file infector.
The virus searches for executables with one of the following extensions:
[LIST][*].exe[/LIST]
Executables are infected by appending the code of the virus to the last section.
The size of the inserted code is 47 KB.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The virus inserts the following text/marker into the header of the infected executable files:
[LIST][*]PPIF[/LIST]
The marker is used to determine whether the file is already infected or not. [h=3]Spreading[/h] Win32/Serpip.A is a virus that spreads via shared folders.
The virus tries to copy itself into shared folders of machines on a local network.
The following usernames are used:
[LIST][*]administrator[*]admin[*]user[*]test[/LIST]
The following passwords are used:
[LIST][*]0[*]1[*]3[*]3.1415926[*]7[*]12[/LIST]
If it succeeds, the virus creates copies of the following files (source, destination):
[LIST][*]\\%hostname%\ADMIN$\system32\wscript.exe,
\\%hostname%\ADMIN$\system32\wmicuclt.exe[/LIST]
It infects the following files:
[LIST][*]\\%hostname%\ADMIN$\system32\wmicuclt.exe[/LIST]
The file is then remotely executed.
The virus registers itself as a system service using the following name:
[LIST][*]Remote Access Connection Service (wmicuclt.exe)[/LIST]
[h=3]Other information[/h] The virus connects to the following addresses:
[LIST][*]d.ppns.info[*].e.ppift.net.[*].e.ppift.com.[*].e.ppift.in.[/LIST]
The virus can download and execute a file from the Internet.
The virus may create and run a new thread with its own program code within any running process.
The virus may delete the following Registry entries:
[LIST][*][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run]
"V3 Session Process"
"MSC"
"F-Secure Manager"
"F-Secure TNB"
"a-squared"
"IKARUS-GuardX"
"ShStatEXE"
"Sophos AutoUpdate Monitor"
"AVP"
"AVG_TRAY"
"egui"
"360sd"
"360Tray"
"G Data AntiVirusTray Application"
"BDAgent"
"BitDefender Antiphishing Helper"
"avgnt"
"kxesc"
"Trend Micro Client Framework"
"RavTRAY"
"APVXDWIN"[*][HKEY_USERS\%variable%\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run]
"V3 Session Process"
"MSC"
"F-Secure Manager"
"F-Secure TNB"
"a-squared"
"IKARUS-GuardX"
"ShStatEXE"
"Sophos AutoUpdate Monitor"
"AVP"
"AVG_TRAY"
"egui"
"360sd"
"360Tray"
"G Data AntiVirusTray Application"
"BDAgent"
"BitDefender Antiphishing Helper"
"avgnt"
"kxesc"
"Trend Micro Client Framework"
"RavTRAY"
"APVXDWIN"[/LIST]
A string with variable content is used instead of %variable%.
ولی روش از بین بردنش ننوشته بود ممنون می شوم یکی راهنمای کنه برای از بین بردن این ویروس چی کار می شه کرد
[h=1][/h]