Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > the virus to be related > Content
Hot Articles
Worm.Win32.AutoRun.eee a
Trojan-Downloader.Win32.
TalkTalk selects F-Secur
The machine dog presents
The resistance kills the
Trojan-PSW.Win32.OnLineG
Trojan-Downloader.Win32.
How does the Trojan Hors
Copperfasten Mail Firewa
EH20 compact escape hood
DeviceWall 5.0 extends U
Everybody may kill the p
Careful ^hard disk devi
Trojan-GameThief.Win32.O
Trojan-PSW.Win32.QQPass.
Recommend Articles
Trojan-PSW.Win32.QQPass.
The machine dog presents
Everybody may kill the p
Trojan-Dropper.Win32.Sma
How does the Trojan Hors
The resistance kills the
Careful ^hard disk devi
Trojan-PSW.Win32.OnLineG
Jinshan virus early warn
Under Professor differen
Trojan-Downloader.Win32.
08 year the first half o
Win32.Troj.OnlineGamesT.
Worm.Win32.AutoRun.eee a
07.13 viral early warnin
New Articles
EXC ears solo work safet
Comodo Internet Security
Sality polymorphic virus
Sicherheitsma?measures s
Speedy Hire used ScanSaf
The Tri-Air Developments
Gro?Britain and France a
Law enforcement is catch
The game is a very attra
Most of the new threats
Sality polymorphic virus
X6 VirusBarrier antiviru
Device Control protects
Workers anf?lliger for p
Cyber criminals use vuln
Trojan-PSW.Win32.OnLineGames.aprb analysis(2)
  Add date: 07/17/2008   Publishing date: 07/17/2008   Hits: 16
Total 3 pages, Current page:2, Jump to page:
 

    Description: When system initiation uses the Explorer.exe advancement autoloading virus module
4th, the advancement which carries out for the current system in takes the snapshot through function CreateToolhelp32Snapshot, then use
  Process32First and in the Process32Next function traversal snapshot records the advancement tabulation, judges whether to save
  In the AVP.exe advancement, the existence then through the function " SetSystemTime " the revision system time was in 2003, the month,
  Japan is invariable, causes Caba the Siji expired expiration
5th, if discovered that has the LaTaleClient.exe advancement, then finished its advancement, when the user lands once more, through read
  server.dat obtains the user in the server related information, through interception current user's keyboard and mouse news
  Gains the network game “the rainbow island” the account number and the password, transmit URL which assigns to the viral author.
6th, this virus after realizing own code, will then finish own advancement, deleted own document.
  
Note: %System32% are an invariable way. The virus decides the current System folder through the inquiry operating system
Position.
  
    %Windir%             WINDODWS in table of contents
    %DriveLetter%          Logical driver root directory
    %ProgramFiles%          The system program default installs the table of contents
    %HomeDrive%           Current start system in district
    %Documents and Settings%    Current user documents root directory
    %Temp%             \ Documents and Settings
                    \ current user \ Local Settings \ Temp
    %System32%           System's System32 folder
    
    In Windows2000/NT tacitly approves installs the way is C:\Winnt\System32
    in windows95/98/me tacitly approves installs the way is C:\Windows\System
    in windowsXP tacitly approves installs the way is C:\Windows\System32  
        
    
--------------------------------------------------------------------------------
Elimination plan:
1st, uses the peaceful day defense line 2008 to be possible to eliminate this virus thoroughly (recommendation),
   Welcome to peaceful day website downloading: www.antiy.com 
2nd, the manual elimination please defer to the behavioral analysis deletion correspondence document, resumes the system-related establishment.  
  (1) uses the ATOOL unloading to pour into to related advancement bndfxdh.dll, the concrete operations are as follows:
    Opens ATOOL→ the tool menu -> search to handle the DLL item -> to input bndfxdh.dll,
    Click search -> click unloading, when presents “you whether can unload includes bndfxdh.dll
    When loads the movement all dll document, elects “is (Y) then.
  (2) deletion virus document:
    %System32% \ bndfxdh.cfg
    %System32% \ bndfxdh.dll

 
Other pages: : <<Prev * 1 * 2 * 3 * Next>>
Prev:Kills the poisonous strategic move: After the impediment virus document kills, regenerates Next:07.16 viral early warnings: ^the long-distance advertisement ̄ revises IE, to supply the hacker ill

Comment:

Category: Home > the virus to be related
Home