Shulou(Shulou.com)05/31 Report--

This article is a detailed introduction to "How to solve Window worm virus". The content is detailed, the steps are clear, and the details are properly handled. I hope this article "How to solve Window worm virus" can help you solve your doubts. The following is a detailed introduction to "How to solve Window worm virus". Let's learn new knowledge together.

0x00 Preface

A worm is a very old computer virus. It is a self-contained program (or set of programs) that usually spreads through the network. Every time it invades a new computer, it replicates itself on that computer and automatically executes its own program.

Common worm viruses: Panda Burning Incense Virus, Shock Wave/Shock Wave Virus, Conficker Virus, etc.

0x01 Emergency scenario

One morning, the administrator found that the intranet server continuously initiated active connections to overseas IPs at the exit firewall. The intranet environment could not be connected to the external network, and there was no picture to make up.

0x02 Event Analysis

In the server intranet IP seen at the exit firewall, first disconnect the host of the virus from the intranet, then log in to the server, open D Shield_web to check the port connection, you can find that a large number of active connections are initiated locally to the intranet IP:

Through port exception, trace the process ID, you can find that the exception is caused by svchost.exe windows service main process, svchost.exe sends a request to port 445 of a large number of remote IPs:

Here we speculate that the system process can be infected by virus, use Kaspersky virus killing tool, check and kill the whole file, and find c:\windows\system32\qntofmhz.dll exception:

Scan this file using multi-engine online virus scanning (http://www.virscan.org/):

Confirm that the server is infected with conficker worm virus, download conficker worm killing tool to check the server, and successfully clear the virus.

1. Abnormality found: exit firewall, local port connection, initiate a large number of connections to the external network actively 2. Virus detection and killing: Kaspersky overall scan, abnormal files found 3. Confirm virus: use multi-engine online virus scanning to confirm that the server is infected with conficker worm virus. 4. Virus treatment: Use conficker worm killing tool to check the server and successfully remove the virus. 0x03 Preventive measures

In the government, hospital intranet, there are still some very old infectious viruses, how to protect computers from virus infection, summarized several preventive measures:

1. Install anti-virus software and scan it regularly. 2. Do not use software of unknown origin. Do not access the U disk that has not been killed. 3. Regularly repair the loopholes in the Windows system and do not give the virus an opportunity. 4. Do a good job of backing up important files. Backup. Read here, this article "Window worm how to solve" article has been introduced, want to master the knowledge point of this article still need to practice to understand, if you want to know more related content of the article, welcome to pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.