Yesterday, I directly ran the program on the machine without issues. Today, I'll go through it again:
1. Right-click on 1.exe and select "End Process Tree"
 (262.71 KB) 2009-5-5 12:07:44
2. Import files based on the SRENG log.
 (135.65 KB) 2009-5-5 12:07:44
**(This is an important point!!! After deletion and restart, it will look like this)**
 (206.17 KB) 2009-5-5 12:07:44
**All files in the QQ directory are deleted!!!!**
I only found one file:
 (226.60 KB) 2009-5-5 12:07:44
Next steps: Replace explorer, delete aboy.dll, replace comres.dll. That's it. This is the analysis result: It calls RUNDLL32 to create a process and release additional payloads, leaving behind a guardian process at the end (no screenshot).
---
For easier viewing, I moved it to the top floor:
First, load `%SystemRoot%\aboy.dll`, then release and install the driver `%SystemRoot%\system32\drivers\pcidump.sys`. It starts infecting system files outside of partitions after calling `ipconfig.exe` with the command `"ipconfig.exe /ALL"`.
 (67.95 KB) 2009-5-4 19:05:35
SRENG wasn't infected, but my tools like ED for deletion were infected (packed into VIRUS.ZIP). In summary, it's very difficult to clean up. The COMRES.dll was replaced, and aboy.dll contains an RPC attack! If the local network hasn't been patched, the infection can spread.
Manual cleaning suggestions:
- Download a normal version of COMRES.dll.
- Delete aboy.dll.
- Delete AUTORUN.inf.
- Clear the content of the HOSTS file.
- Delete virus files under DOS.
[Attached Images]
[attachimg]515282[/attachimg]
[attachimg]515282[/attachimg]
[attachimg]515287[/attachimg]
[attachimg]515287[/attachimg]
Published by smallyou93