Characteristics of virus incidence:

1.

2. You can't copy and cut and paste the clipboard normally!

3. If you paste the text, the word "hello" will appear at the paste place instead of the original text!

[Damage Mode]: This virus uses folder icons, which is very confusing. After the virus runs, it will copy itself to other directories in large quantities.

First, when the virus runs for the first time, it will display "This file has been corrupted!" " ;

Second, copy yourself to the windows directory and rename it Mstray.exe;

Third, modify the registry: HKEY _ Local _ Machine \ Software \ Microsoft \ Windows \ Current Version \ Run.

So as to achieve the purpose of self-starting;

Fourth, enumerate the disk directories and release the following files under each root directory:

Winfile.exe, virus master program.

Comment.htt, using IE vulnerability to call the "winfile.exe" in the same directory, the attribute is hidden.

The Desktop.ini system is hidden. When browsing the folder through the web, the system will call the file, and the file will call comment.htt, thus activating the virus.

5. The virus modifies the registry, hides system files, hides files protected by the system, and hides known extensions.

In this way, users can't see comment.htt and Desktop.ini. winfile.exe is hidden with suffix and folder icon, so users can easily think that it is a folder and click it.

At the same time, the name of the self-copy generated by the virus under the current path adopts the title of the parent directory or the current window, which increases the concealment.

Six, the virus calls Outlook to send letters carrying the virus.

Manual removal

Find Mstray.exe (note that this is a system and hidden file, which is found under the system folder) and delete it. And modify the registry to delete the items under HKEY _ local _ machine \ software \ Microsoft \ Windows \ Current version \ Run and the startup items of Mstray.exe, and then: use the search function of Windows to search all:

Winfile.exe，comment.htt，desktop . ini(； Remove file system protection and hide properties)

Some desktop.ini files are original files of windows.

Finally: Search all *. Exe files, you will find a lot. Exe files and delete all these files.

Worm.sober virus name: worm.sober.

Chinese name: sober

Threat level: 3C

Virus type: worm

Affected systems: Win9x/NT/2K/XP.

Virus alias:

I-Worm。 Awake [AVP]

W32。 Awake @ mm[ Symantec]

The worm disguises itself as an email containing anti-virus software, enticing users to open its attachments. After the virus is activated, it will send a lot of toxic emails on the host, wasting a lot of system resources and network resources. Sober virus has caused great influence in Europe, especially in Britain and Germany.

Technical features:

1, recovered to the system directory (%system%), and the file name of the virus copy is:

similare.exe

systemchk.exe

winrea.exe

2. Add registry startup items to start randomly.

HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \Run

" syspath" = "%System%\drv.exe "

HKEY _ Current User \ Software \ Microsoft \ Windows \ Current Version \ Running

" syspath" = "%System%\drv.exe "

3. By email, the subject of the email is uncertain, the text is in English and German, and the suffix of the attachment may be bat, com, exe, pif and scr.

A, usually the subject and content of the email is "The attachment of this email is a tool to remove the virus" Sobig-Worm "("Big Mac "worm). Sobig) ",thus inducing users to open attachments;

For example:

Subject: the new Sobig-Worm variant (please read)

Text: The new Sobig variant in the network.

You must change any settings before the worm takes control of your computer!

However, please read the official statement of Norton antivirus software!

File attachment: NAV.pif

B, infected mail usually has the following characteristics:

Automatic email notification: robot system _ _ #

C virus search suffixes are "htt, rtf, doc, xls, ini, mdb, txt, shtm, shtml, wab, pst, fdb, cfg, ldb, eml, abc, ldif, nab, adp, mdw, mda, mde, ade, sln, dsw, dsp.

Solution:

If your system suddenly slows down, or the following dialog box pops up when you open a program, your system may be infected with the "awake" worm. Please kill it in the following ways:

1, please upgrade your Kingsoft Internet Security to the version of 65438+1October 30th, which can completely kill viruses;

2. Please don't trust anti-virus tool emails sent in any name, especially those aimed at "worms". Sobig "virus;

3. Manual disassembly method:

For WIN9X users, you can delete the following virus files in pure DOS mode:

%system%\similare.exe

%system%\systemchk.exe

%system%\winrea.exe

For Win2000/WinXP users, please use the process manager to end the process named "similare.exe, systemchk.exe, winrea.exe" and then delete the following files:

%system%\similare.exe

%system%\systemchk.exe

%system%\winrea.exe

Delete the startup item added by virus in the registry:

HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \Run

" syspath" = "%System%\drv.exe "

HKEY _ Current User \ Software \ Microsoft \ Windows \ Current Version \ Running

" syspath" = "%System%\drv.exe "