What is the Winny virus (alias ballocks)?
Worm that extends through filing common software of P2P type named Winny.
A user name of the personal computer, an organization name, a desktop image, and desktop are filed when infecting this worm and UP is done on the Winny network.
Ballocks my desktop user great date jpg
Ballocks my desktop user great date (file assortment). Zip
Ballocks my desktop user great date (file assortment). Lzh
(Become the ballocks my desktop user name (organization name) date when there is an
organization name. )
The image of desktop is preserved by using the value of random as long as it
hangs in the virus.
It is infected with a random folder in Program Files and registers oneself in the start-
up.
It seems to send the mail told that I am Winny user to the mail address registered in the where to make contact. (It might be a unmounting. )
Enters.
Infection route
Try it to camouflage in the image viewer of the folder and the XP standard, to
camouflage to the icon of the note pad, and it to be infected.
Moreover, it seems to be infected by the use of html. The doubtful file might be in the ballocks assortment.
To the source<Please ..object CLASSID = 'CLSID:00000000-0000-0000-0000-FFF085324649' CODEBASE = '.. read. files/TRAP.exe'></ You should note it in a object > certain case.
It tries to be infected by the use of the weakness that can pretend a dangerous file of extension ".folder" to the folder.
It doesn't step excluding html if they are other OS because it is camouflaged to the
icon of XP.
Infection confirm method
When the folder that has not been registered in Upfolder.txt was registered, it is
infected.
C:For \Documents and Settings\ user great \Local Settings\Temp, it is a user name. It is infected when there is a doubtful file such as txt.
When the note pad opens, it is infected when it starts opening the registry
editor.
All symptoms do not necessarily happen at once even if it is infected.
There is a possibility that ballocks make the file "System file" when UpFolder.txt is not found.
When the check on "The operating system file where tool → folder option → display → is protected is not displayed (recommendation)" of the Explorer is removed, it is likely to be found. It notes it because an important system file is displayed when this is done.
Quotation
817 Name: Contribution days of 724 sage: 04/03/16 04:32 ID:gqiQKL1N
>752
It executes it specifying the file name. 「msconfig」
A start-up tab is clicked.
It looks for exe that not is be sure to start by the start-up.
The place with the exe is opened. (Is the retrieval good?)
When the icon is a note pad, it is bingo.
If it is not possible to specify it, which all exe it is is examined.
Because the exterminating method doesn't understand be suitable, I do not write.
Exterminating method
The restoration function of the system is invalidated.
It is deleted because in the place specified in UpFolder.txt, there is readme.files
folder.
The value that HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is
doubtful is deleted.
(The possibility including/logon/start/autorun/startup these is high. )When it doesn't understand which is doubtful, "Data" is traced. When it is a camouflage icon, it is correct and ballocks.
C:\Documents and Settings\ user great \Local Settings\Temp\ user name. Txt etc. are
deleted.
Only the passing when passing Winny is being written in WINDOWS\win.ini and WINDOWS\system.ini like ballocks is deleted.
Regedit.exe and regedt32.exe are restored.
It is very difficult to put out the file on the Winny network when the file that flows out is downloaded to other Winny users and it spreads.
Prevention method
The extension is displayed by the setting. Gun and the probability of stepping
decrease only in this.
The extension to which tool → folder option → display → of the Explorer is registered is not displayed and if the check is removed, the extension comes to be displayed.
Because there might be a long blank after the extension of the imitation . . .
Attention.
An important file is not put on desktop by thinking when flowing unfortunately.
Do not use the real name for the user name.
Stop ny when judging it seems to be dangerous.
Note extension ".folder".
By the way, even if UpFolder.txt is done only for reading, ballocks invalidate it.
|
