سلام در تاریخ 2012/7/10 یک ویروس منتظر شده به نام Win32/Serpip.A این ویروس خودشو به فایلهای exe می چسبانه و باعث میشه اون فایل انتی ویروس ویرئس بشناسش F:\kes8.1.0.831_wksfswin_en.exe - Win32/Serpip.A virus - cleaned - quarantined و فایل exe را quarantined ببره من تو سایت esat یک مطلب دیدم
Win32/Serpip.A
Threat Encyclopaedia Print this pageSend
Aliases: Worm.Win32.Fipp.a (Kaspersky), Virus:Win32/Morto.A (Microsoft), W32.Morto.B (Symantec), W32/Pift (McAfee) Type of infiltration: Virus Size: 47 KB Affected platforms: Microsoft Windows Signature database version: 7286 (20120710)
Short description
Win32/Serpip.A is a file infector. Installation
When executed, the virus moves the following files (source, destination):
- %system%\wmicuclt.exe, %system%\wmicuclt
The virus creates copies of the following files (source, destination):
- %system%\wscript.exe, %system%\wmicuclt.exe
The virus modifies the following file:
- %system%\wmicuclt.exe
The virus writes the program code of the malware into the file.
The virus registers itself as a system service using the following name:
- Remote Access Connection Service (%system%\wmicuclt.exe)
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
360rp]
"Start" = 4- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
zhudongfangyu]
"Start" = 4- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
ekrn]
"Start" = 4
The virus creates and runs a new thread with its own program code within the following processes:
- svchost.exe
Executable file infection
Win32/Serpip.A is a file infector.
The virus searches for executables with one of the following extensions:
- .exe
Executables are infected by appending the code of the virus to the last section.
The size of the inserted code is 47 KB.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The virus inserts the following text/marker into the header of the infected executable files:
- PPIF
The marker is used to determine whether the file is already infected or not. Spreading
Win32/Serpip.A is a virus that spreads via shared folders.
The virus tries to copy itself into shared folders of machines on a local network.
The following usernames are used:
- administrator
- admin
- user
- test
The following passwords are used:
- 0
- 1
- 3
- 3.1415926
- 7
- 12
If it succeeds, the virus creates copies of the following files (source, destination):
- \\%hostname%\ADMIN$\system32\wscript.exe,
\\%hostname%\ADMIN$\system32\wmicuclt.exe
It infects the following files:
- \\%hostname%\ADMIN$\system32\wmicuclt.exe
The file is then remotely executed.
The virus registers itself as a system service using the following name:
- Remote Access Connection Service (wmicuclt.exe)
Other information
The virus connects to the following addresses:
- d.ppns.info
- .e.ppift.net.
- .e.ppift.com.
- .e.ppift.in.
The virus can download and execute a file from the Internet.
The virus may create and run a new thread with its own program code within any running process.
The virus may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Run]
"V3 Session Process"
"MSC"
"F-Secure Manager"
"F-Secure TNB"
"a-squared"
"IKARUS-GuardX"
"ShStatEXE"
"Sophos AutoUpdate Monitor"
"AVP"
"AVG_TRAY"
"egui"
"360sd"
"360Tray"
"G Data AntiVirusTray Application"
"BDAgent"
"BitDefender Antiphishing Helper"
"avgnt"
"kxesc"
"Trend Micro Client Framework"
"RavTRAY"
"APVXDWIN"- [HKEY_USERS\%variable%\SOFTWARE\Microsoft\Windows\C urrentVersion\
Run]
"V3 Session Process"
"MSC"
"F-Secure Manager"
"F-Secure TNB"
"a-squared"
"IKARUS-GuardX"
"ShStatEXE"
"Sophos AutoUpdate Monitor"
"AVP"
"AVG_TRAY"
"egui"
"360sd"
"360Tray"
"G Data AntiVirusTray Application"
"BDAgent"
"BitDefender Antiphishing Helper"
"avgnt"
"kxesc"
"Trend Micro Client Framework"
"RavTRAY"
"APVXDWIN"
A string with variable content is used instead of %variable%.
ولی روش از بین بردنش ننوشته بود ممنون می شوم یکی راهنمای کنه برای از بین بردن این ویروس چی کار می شه کرد
موضوعات مشابه:
- مشکل با ویروس Virus.Win32.Suspic.gen
- ویروس win32/sohand.nbc worm درشبکه
- ویروس win32/conficker
- آنتی ویروس WIN32 کی داره؟؟؟
- آنتی ویروس WIN32 کی داره؟؟؟