What virus is panda burning incense? What can be used to kill people?

Panda burning incense is actually a variant of a worm virus, and it has mutated many times. Nimia variety w (worm. Nimaya.w) is also called "Panda Burning Incense" virus because of the appearance of "Panda Burning Incense" pattern in the executable file of poisoned computer. After the user's computer is poisoned, there may be blue screen, frequent restart, and data files in the system hard disk being destroyed. At the same time, some variants of the virus can spread through the local area network, and then infect all computer systems in the local area network, which eventually leads to the paralysis of the enterprise local area network and can not be used normally.

Panda burning incense is a very powerful virus circulating recently, which belongs to the latest variant worm virus in Weijin. Many friends can't use anti-virus software to kill virus after winning the lottery, so they have to reluctantly give up what they love and delete all the program files on the hard disk. Strictly speaking, this virus became popular in June 5438+February last year. It is said that the anti-virus software should have been upgraded long ago, but because of the amazing vitality of panda burning incense, it has not died after such a long time.

Killing method: a thrilling killing process

1. Panda Burning Incense Virus: The picture shows a panda burning incense, which feels quite cute! I didn't care much at that time! When you turn on the computer the next day! Almost all EXE files on the computer have become pictures of pandas burning incense! At this moment, I felt something!

Some EXE files can't be used normally! Add a new autorun. INF file

I didn't understand the function of this document at first! I looked up some information on the internet and found that. I didn't know until then. As long as the user opens the drive letter. Will run this virus! Use antivirus software to kill virus! It's useless It seems that the current anti-virus software is getting worse and worse ~ ..

2. I want to open the task manager with key combination! Unable to open ~ failed ... I want to see if it is in the registry. Still failed! The strange thing is that the computer is working normally. None of them are stuck! Is it not a virus? Is there something wrong with the system? Download third-party tools from the Internet to view the process! Sure enough, I saw two suspicious processes FuckJacks.exe seems to be the most suspicious, dare not rashly terminate! Ask Uncle Bai quickly!

My uncle told me. It's the process of panda virus! Everything is as I wish! Lazy installation system!

4. End the FuckJacks.exe process first! Start-run -CMD input: PID~ of ntsd -c q -p virus is finally killed! Everything is back to normal! Excited ING ... Open the registry quickly.

Suddenly the registry was closed again. Look at the progress, FuckJacks.exe. It appears again ~ ~ then it should have a daemon! Look for it. Nothing is ... strange. Is his daemon connected to the system?

Progress? Never ... have a headache ...

5. Forget it, find a friend's killing tool. A friend said that he wrote a panda killing tool! Oh, my God, the awesome guy is right next to me. I didn't even find it ~ I asked him for advice ~ ~ I got a general idea of panda burning incense ~ Tell him to give me a panda without a shell to analyze it himself ~ (Do it yourself. Have plenty of food and clothing ~ ~)

6. Open the panda with UI32. Check out some resources used! After the file is executed. Release to \ system32 \ fuckjacks.exe.

7. If you continue to look at the pictures, you can see that some transmission processes of pandas are quite classic ... and scanning computers on the same network segment ~ self-copying, etc., all of which are quite powerful ~ EXE files infected with all drive letters at the same time ~ but not some important system files and common files! Obviously, I don't want to cause too much damage too early ~ modify the registry. Do not open the registry. Even some services are disabled ~ ~

Here are the important moments! As you can see from the code behind! The author of the virus is a very good programmer! Have very good programming habits! The abnormal operation of virus is well defined ~ most of them are the author's judgment and definition of virus operating conditions ~ it is worth noting that while infecting EXE files! Infect ASP. HTML file. Finally, a basic code similar to hanging a horse will be added. ~ ~ through the third party as soon as possible ~ (if the infected person is a webmaster). The consequences can be imagined)

The running of virus program

Let's talk about the partial realization of the virus first! Just modify the registry:

There is a saying: WSHELL. My REGTYPE.

The first is the key name of the parameter: the full path. ..

The second is: key value. .

The third is: the type of key,

Set wheel = wscript.createobject ("wscript.shell").

whell . regwrite " HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ windows NT \ current version \ winlog in \ shell "，" eseplorer.exe "，" REG_SZ "

Universal solution

1 is to turn off your default sharing.

Run regedit first and find the following set [HKEY _ local _ machine \ system \ current control set \ control \ LSA].

The key value of RestrictAnonymous = DWORD is changed to: 0000000 1.

restrictanonymous REG_DWORD

0x0 default value

0x 1 Anonymous users cannot enumerate local user lists.

0x2 anonymous users cannot connect to the local IPC.

Note: 2 is not recommended, otherwise some services (such as SQL Server) may fail to start.

2. Default sharing is prohibited.

1) View local shared resources

Run -cmd- enter the network share.

2) Delete shares (enter one at a time)

Net share IPC $/ delete

Net share management fee/deletion

Net share c USD/deleted

Net share d $/ delete (if there are E, F, ... you can continue to delete)

3) Modify the registry to delete the share.

Run-Registry Edit

The following primary key [HKEY _ local _ machine \ system \ current control set \ service \ lanmanserver \ parameter] was found.

Change the key value of AutoShareServer(DWORD) to 0000000.

If the primary key mentioned above does not exist, create a new one (right-click-new-double-byte value), and then change the key value.

Let's take a look at how powerful this virus is: it instantly copies the whole hard disk, has the function of monitoring QQ records, and the computer in the Internet cafe is still effective! Obviously, there is a wizard transfer function. Noteworthy functions: delete the function of GHOST, control the computer to carry out collective DDOS, and even kill KV, Rising and Jinshan!

Let's take a look at the special type of virus: network spread! The weak password of the computer. Default sharing propagation! Spread quickly in the intranet! It is very lethal to the enterprise's living in the network! The virus will immediately copy the entire hard disk. Take up very little memory ~

Although panda virus is not very new. But the author of the virus is really admirable ~ an out-and-out network expert! Super excellent programmer!

Many antivirus softwares have tools for killing pandas burning incense. You can kill the latest variant!