Alert level: ★ ★ ★ ★
Attack Time: Random
Virus Type: Worm
Mode of transmission: Mail / LAN
Infected objects: local area network
Dependent on the system: WIN9X / / NT/2000/XP
Virus description:
On June 26 Rising global anti-virus monitoring network was intercepted, the virus is currently the largest non-polar family of the most powerful virus, a variant of its outreach and communication faster than the other variants. After running the virus will copy itself to the system directory, and modify the registry from the start. And then infected with the LAN computer, will start their own into the directory, resulting in the entire network infected, the virus will search the user's mail address, send mail out a lot, so networks.
Find and remove the virus:
This virus will have the following characteristics, find the computer if the user has these characteristics, it is likely in this virus:
1. The virus will run its own copy to:% Windir% directory named: winssk32.exe, and then in the directory, create a configuration file called msrrf.dat virus. Users can search the computer, find the two files will be deleted.
Note:% Windir% is a variable that refers to the installation directory, the default is: "C: Windows" or: "c: Winnt", can also be specified when users install the operating system to other directories.
2. The virus will modify the registry to run from the Startup Items: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun, in which the joined name: SSK Service, says:% Windir% winssk32.exe the key to the next system startup automatically run the virus. Users can use the REGEDIT tool, the key directly to remove the virus so the virus can not start.
3. Virus running in memory to generate a name: winssk32 thread. More than NT operating system the user can directly use the Task Manager to kill the process, 9X operating system, users can only use third-party software such as PROCVIEW kill the virus process.
4. The virus will search the LAN computer, if found in default shared computer, the virus will copy itself to the computer: WindowsAll UsersStart MenuProgramsStartUp, Documents and SettingsAll UsersStart MenuProgramsStartup directory. Users can check the catalog to see if there is the above-mentioned virus body, if you can clear.
5. The virus will search the disk in the *. web, *. txt, *. dbx *. htm, *. html and *. eml file and extract mail addresses from e-mail communication.
[Next]
E-mail sender may be: support@yahoo.com
Message title could be:
· Re: Application
· Re: Movie
· Re: Movies
· Re: Submitted
· Re: ScRe: ensaver
· Re: Documents
· Re: Re: Application ref 003644
· Re: Re: Document
· Your application
· Application.pif
· Applications.pif
· Movie.pif
· Screensaver.scr
· Submited.pif
· New document.pif
· Re: document.pif
· 004448554.pif
· Referer.pif
E-mail attachment may be:
· Your_details.zip
· Application.zip
· Document.zip
· Screensaver.zip
· Movie.zip
Users do not install antivirus software, if you receive this message, you can delete this this message.
If computer users find their own all or part of the above phenomenon, it is likely in a large non-polar variant E (Worm.SoBig.E) virus.