How to solve Windows worm virus

0x00 Foreword

Worm virus is a very old computer virus. It is a self-contained program (or a set of programs) that usually spreads through the network. Every time it invades a new computer computer, it replicates itself on this computer and automatically executes its own programs.

Common worms: Panda Burning Incense Virus, Shock Wave/Shock Wave Virus, Conficker Virus, etc.

0x01 Emergency Scenario

One morning, the administrator found at the egress firewall that the internal network server continued to initiate active connections to overseas IPs. The internal network environment was unable to connect to the external network, and there was no way to figure it out.

0x02 Event Analysis

For the intranet IP of the server seen on the egress firewall, first disconnect the virus-infected host from the intranet, then log in to the server and open D-shield_web scan Check the port connection status and you can find that the local area initiates a large number of active connections to the external network IP:

Through the port exception and tracking the process ID, you can find that the exception is caused by svchost.exe windows Caused by the service main process, svchost.exe sends requests to port 445 of a large number of remote IPs:

Here we speculate that the system process may be infected by a virus, and use Kaspersky virus to check and kill it Tool, scan and kill all files, and find an exception in c:\windows\system32\qntofmhz.dll:

Use multi-engine online virus scanning (http://www.virscan.org /) Scan the file:

Confirm that the server is infected with the conficker worm virus, download the conficker worm killing tool to check the server, and successfully remove the virus.

1、发现异常：出口防火墙、本地端口连接情况，主动向外网发起大量连接
2、病毒查杀：卡巴斯基全盘扫描，发现异常文件
3、确认病毒：使用多引擎在线病毒对该文件扫描，确认服务器感染conficker蠕虫病毒。
4、病毒处理：使用conficker蠕虫专杀工具对服务器进行清查，成功清除病毒。

0x03 Preventive measures

In government and hospital intranets, there are still some very old infectious viruses. How to protect computers from virus infection , summarizing several preventive measures:

1、安装杀毒软件，定期全盘扫描
2、不使用来历不明的软件，不随意接入未经查杀的U盘
3、定期对windows系统漏洞进行修复，不给病毒可乘之机
4、做好重要文件的备份，备份，备份。

The above is the detailed content of How to solve Windows worm virus. For more information, please follow other related articles on the PHP Chinese website!