荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: Mic (酷鱼), 信区: Virus
标 题: [合集]Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: 荔园晨风BBS站 (Tue Apr 24 13:56:04 2001), 转信
========================
转自水木清华
========================
发信人: swordfb (满江红), 信区: Virus
标 题: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 21:40:40 2001)
我替老板的机器杀毒,用nav2001干掉了一些word宏病毒;
可还发现了一个叫W32.HLLW.Qaz(gen)的病毒,感染了notepad.exe,用nav不能修复(re
pair),也不能隔离(quarantine),然后就建议我删除(delete)。我可以删除notep
ad.exe吗?有这么简单吗?如果删了会不会导致什么其他后果,还请各位大侠给个万全
之策,有礼了!//bow!
========================
发信人: Ranma (乱马猫~~繁星似尘), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 21:53:20 2001)
只有notepad.exe有?呵呵,难以想象
【 在 swordfb (满江红) 的大作中提到: 】
: 我替老板的机器杀毒,用nav2001干掉了一些word宏病毒;
: 可还发现了一个叫W32.HLLW.Qaz(gen)的病毒,感染了notepad.exe,用nav不能修复(re
: pair),也不能隔离(quarantine),然后就建议我删除(delete)。我可以删除notep
: ad.exe吗?有这么简单吗?如果删了会不会导致什么其他后果,还请各位大侠给个万全
: 之策,有礼了!//bow!
=========================
发信人: swordfb (满江红), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 22:13:37 2001)
还真就只这个有,我也觉得邪门。
【 在 Ranma (乱马猫~~繁星似尘) 的大作中提到: 】
: 只有notepad.exe有?呵呵,难以想象
=========================
发信人: Ranma (乱马猫~~繁星似尘), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 22:31:12 2001)
不过也有可能,比如你老板从来没用过notepad
干脆delete调算了,从别的机器上再拷一个notepad吧。
或者打开nav的写文件保护,然后执行一下notepad,
看看是不是真的是病毒。呵呵
【 在 swordfb (满江红) 的大作中提到: 】
: 还真就只这个有,我也觉得邪门。
=========================
发信人: swordfb (满江红), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 22:41:54 2001)
直接删还删不掉,说是正在被使用,后来在注册表的run里找到了notepad,我把它删掉
重启看看
==========================
发信人: Ranma (乱马猫~~繁星似尘), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 22:46:25 2001)
那可能是个木马,套了一个notepad的马甲...
==========================
发信人: Ranma (乱马猫~~繁星似尘), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 23:01:38 2001)
W32.HLLW.Qaz.A
Discovered on: July 18, 2000
Printer-friendly version
Due to a decrease in submissions, this virus has been downgraded to a
threat
level 3 as of December 7, 2000.
W32.HLLW.Qaz.A was first discovered in China in July 2000. It is a
companion
virus that can spread over the network. It also has a "backdoor" that
will
enable a remote user to connect to and control the computer using port
7597.
Because the virus cannot spread to computers outside of the network, it
may
have originally been sent out by email.
W32.HLLW.Qaz.A was originally know as Qaz.Trojan. It was renamed to
W32.HLLW
.Qaz.A on August 10, 2000. As of September 14, 2000, there are at
least four
variants of the original virus.
Also Known As: Qaz.Trojan, Qaz.Worm, W32.HLLW.Qaz (gen)
Category: Worm
Infection Length: 120320,
Infection Length: 119296,
Infection Length: 120297,
Infection Length: 122880
Virus Definitions: July 18, 2000
Threat Assessment:
Wild:
High Damage:
Low Distribution:
Low
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Moderate
Damage:
Payload Trigger: Each time the virus is executed
Payload: Creates a backdoor on the computer
Modifies files: Renames Notepad.exe to Note.com
Releases confidential info: Emails the infected computer's IP address to
the
hacker and also creates a backdoor to the computer
Compromises security settings: Allows unauthorized access to the
computer
Distribution:
Ports: Listens for incoming TCP/IP connections on port 7597
Target of infection: Notepad.exe
Virus Definitions: July 18, 2000
Threat Assessment:
Wild:
High Damage:
Low Distribution:
Low
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Moderate
Damage:
Payload Trigger: Each time the virus is executed
Payload: Creates a backdoor on the computer
Modifies files: Renames Notepad.exe to Note.com
Releases confidential info: Emails the infected computer's IP address to
the
hacker and also creates a backdoor to the computer
Compromises security settings: Allows unauthorized access to the
computer
Distribution:
Ports: Listens for incoming TCP/IP connections on port 7597
Target of infection: Notepad.exe
.
If you cannot obtain the tool, see the manual removal instructions
that foll
ow.
Manual removal instructions
To remove this virus manually, you need to:
Delete the virus's program files
Remove the startIE and bymer.scanner registry entries
Restore the original Notepad.exe file
Detailed instructions follow. If you are on a network, then you must
perform
these steps for each computer connected to the network.
NOTE: Some components of this virus are distributed, at least in part,
using
an illegally altered version of a legitimate program. For additional
inform
ation on distributed.net, the legitimate program that has been illegally
alt
ered to do this, see the document What is Distributed.net?
To delete the virus's program files:
Run a full system scan, and delete any infected files. Boot to MS-DOS
mode,
and then delete the virus-infected Notepad.exe and Note.com files, and
in so
me cases, an infected copy of the Wininit.exe file. Follow these steps
to do
this:
NOTE: These instructions tell you to delete the files in MS-DOS mode.
This i
s because you must be disconnected from the network when deleting
these file
s. If you are sure that you can restart the computer without
connecting to t
.
If you cannot obtain the tool, see the manual removal instructions
that foll
ow.
Manual removal instructions
To remove this virus manually, you need to:
Delete the virus's program files
Remove the startIE and bymer.scanner registry entries
Restore the original Notepad.exe file
Detailed instructions follow. If you are on a network, then you must
perform
these steps for each computer connected to the network.
NOTE: Some components of this virus are distributed, at least in part,
using
an illegally altered version of a legitimate program. For additional
inform
ation on distributed.net, the legitimate program that has been illegally
alt
ered to do this, see the document What is Distributed.net?
To delete the virus's program files:
Run a full system scan, and delete any infected files. Boot to MS-DOS
mode,
and then delete the virus-infected Notepad.exe and Note.com files, and
in so
me cases, an infected copy of the Wininit.exe file. Follow these steps
to do
this:
NOTE: These instructions tell you to delete the files in MS-DOS mode.
This i
s because you must be disconnected from the network when deleting
these file
s. If you are sure that you can restart the computer without
connecting to t
he network, then you can delete the files in Windows using Windows
Explorer.
1. After running LiveUpdate to make sure that you have the most recent
virus
definitions, run a full system scan, making sure that NAV is set to
scan al
l files as previously described.
2. Delete any files that NAV finds that are infected with this virus.
3. Click Start, and then click Shut Down.
4. Click Restart in MS-DOS mode, and then click OK. The computer
restarts to
DOS mode, at the C:\Windows prompt.
NOTE: This feature has been removed from Windows Me. If you are using
Window
s Me, you will have to use a Windows Me startup disk to boot to DOS. See
you
r Windows Me documentation for information on how to do this.
5. Type the following, pressing Enter after each line:
del notepad.exe
ren note.com notepad.exe
6. Type the following, and then press Enter:
cd system
The prompt should now look similar to the following:
C:\Windows\System>
CAUTION: In the next step you will delete a file. This file may not be
found
on all systems infected with this virus. It is extremely important that
you
make sure that you are at the \Windows\System prompt and not at the
\Window
he network, then you can delete the files in Windows using Windows
Explorer.
1. After running LiveUpdate to make sure that you have the most recent
virus
definitions, run a full system scan, making sure that NAV is set to
scan al
l files as previously described.
2. Delete any files that NAV finds that are infected with this virus.
3. Click Start, and then click Shut Down.
4. Click Restart in MS-DOS mode, and then click OK. The computer
restarts to
DOS mode, at the C:\Windows prompt.
NOTE: This feature has been removed from Windows Me. If you are using
Window
s Me, you will have to use a Windows Me startup disk to boot to DOS. See
you
r Windows Me documentation for information on how to do this.
5. Type the following, pressing Enter after each line:
del notepad.exe
ren note.com notepad.exe
6. Type the following, and then press Enter:
cd system
The prompt should now look similar to the following:
C:\Windows\System>
CAUTION: In the next step you will delete a file. This file may not be
found
on all systems infected with this virus. It is extremely important that
you
make sure that you are at the \Windows\System prompt and not at the
\Window
8. Exit the Registry Editor.
Perform another full system scan when you have finished.
Additional information:
Configure Windows for maximum protection
Because this virus spreads by using shared folders on networked
computers, t
o ensure that the virus does not reinfect the computer after it has been
rem
oved, Symantec suggests sharing with read-only access or using
password prot
ection. For instructions on how to do this, see your Windows
documentation o
r the document How to configure shared Windows folders for maximum
network p
rotection.
【 在 Ranma (乱马猫~~繁星似尘) 的大作中提到: 】
: 那可能是个木马,套了一个notepad的马甲...
=========================
发信人: Ranma (乱马猫~~繁星似尘), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 23:02:24 2001)
正如我所预料,是一个木马。呵呵
=========================
发信人: swordfb (满江红), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 23:08:12 2001)
多谢!
【 在 Ranma (乱马猫~~繁星似尘) 的大作中提到: 】
: 正如我所预料,是一个木马。呵呵
==========================
发信人: Ranma (乱马猫~~繁星似尘), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 23:12:00 2001)
remove tools
http://www.symantec.com/avcenter/fixqaz.exe
不过看起来你不需要了
【 在 swordfb (满江红) 的大作中提到: 】
: 多谢!
===========================
发信人: LJF (FOR-DREAM), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 23:15:17 2001)
替我看看w32.magistr.int是什么病毒,如何删掉
nav2001,4月18日的病毒库不行
【 在 Ranma (乱马猫~~繁星似尘) 的大作中提到: 】
: remove tools
: http://www.symantec.com/avcenter/fixqaz.exe
: 不过看起来你不需要了
============================
发信人: swordfb (满江红), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 23:15:36 2001)
好像已经没事了,3x!
【 在 Ranma (乱马猫~~繁星似尘) 的大作中提到: 】
: remove tools
: http://www.symantec.com/avcenter/fixqaz.exe
: 不过看起来你不需要了
=============================
发信人: Ranma (乱马猫~~繁星似尘), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 23:23:40 2001)
不知道这个文件能不能帮你,其实也是杀那个@mm的。说不定阿
ftp://ftp.avx.com/tools/magistr/antimagistr.exe
【 在 LJF (FOR-DREAM) 的大作中提到: 】
: 替我看看w32.magistr.int是什么病毒,如何删掉
: nav2001,4月18日的病毒库不行
==============================
发信人: Ranma (乱马猫~~繁星似尘), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sat Apr 21 23:42:54 2001)
呵呵,waiting for以后的release吧。
如果你担心病毒发作,毁掉呢的主板,
那就format硬盘重装系统巴
【 在 LJF (FOR-DREAM) 的大作中提到: 】
: 替我看看w32.magistr.int是什么病毒,如何删掉
: nav2001,4月18日的病毒库不行
===============================
发信人: LJF (FOR-DREAM), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sun Apr 22 18:14:29 2001)
不要吓我,还是等以后 的病毒库吧
再要不行,删掉所有染毒文件!!!!
【 在 Ranma (乱马猫~~繁星似尘) 的大作中提到: 】
: 呵呵,waiting for以后的release吧。
: 如果你担心病毒发作,毁掉呢的主板,
: 那就format硬盘重装系统巴
===============================
发信人: brival (豆腐), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Sun Apr 22 19:33:49 2001)
Ranma你在哪儿上网?专门去国外网站,看来速度也不慢.
呵呵,几个大的病毒厂商看来你都去啦.
羡慕的说,偶可花不起这钱.
【 在 Ranma (乱马猫~~繁星似尘) 的大作中提到: 】
: 不知道这个文件能不能帮你,其实也是杀那个@mm的。说不定阿
: ftp://ftp.avx.com/tools/magistr/antimagistr.exe
================================
发信人: ssmxjl (苦瓜), 信区: Virus
标 题: Re: Help!!!中毒 W32.HLLW.Qaz(gen)
发信站: BBS 水木清华站 (Mon Apr 23 18:51:52 2001)
呵呵,用代理啦
【 在 brival (豆腐) 的大作中提到: 】
: Ranma你在哪儿上网?专门去国外网站,看来速度也不慢.
: 呵呵,几个大的病毒厂商看来你都去啦.
: 羡慕的说,偶可花不起这钱.
================================
(__ \ / / ☆ ☆ ☆
| w | ☆ 萝卜、萝卜、萝卜、好大的萝卜... ☆
_( @ @ )_ ☆ ☆ ☆
( ==oOo== ) ☆
┏━━oOO━ " ━━━━OOo━━━━━━━━━━━━━━━━━━━┓
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.28.108]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店