What "witchcraft" does the virus use to make the motherboard sing? It uses vibration frequency, and the pitch is proportional to the vibration frequency. That is to say, the faster the object vibrates, the higher the pitch. If the changes in vibration frequency are connected together, the motherboard buzzer will emit a song. In addition, the virus mainly relies on flash memory to spread. After being poisoned, the task manager and registry will be disabled, the folder options will be hidden, the menu content in "My Computer" will also be tampered with, and program associations such as EXE and COM will also be tampered with. Forcibly erased. Virus principle: After "Singing Virus" enters the system, it will copy 2009.exe and 4.exe to the Windows directory of the system. Another virus file .exe (the file has no file name) will be randomly released to any directory in the system. Then the virus will automatically load these three files into the memory, so that these three processes can protect each other, especially the .exe process which cannot be viewed in ordinary process managers.
The virus will delete the system file userinit.exe, modify the Userinit startup item related to it to 4.exe, and then modify the contents of another system startup item Shell to 2009.exe. Then add two more startup items, 4 and 2009, to the registry, and use these four startup items to ensure that the virus file starts randomly. In this way, even if the user deletes the startup items added by the virus, but does not notice that the startup items have been tampered with, the virus can still start and run normally.
Then the virus will release two files, lotto.exe and Autorun.inf, in the root directory of each disk (Figure 2). In this way, when the user double-clicks to open the disk, the auto-run function can run the virus file again, thereby expanding the spread and influence of the virus.
Step one: Run the process management tool XueTr (download address/bzsoft) and the system repair software SREng at the same time. In the "Processes" tab of XueTr, you can see three processes: 2009.exe, 4.exe and .exe. Select them with the mouse, then right-click and select "Delete files when ending process", then right-click and select "End process" "Command"
Step 2: Switch to the system repair tool SREng (download address/bzsoft), click "Startup Project → Registry", the program will remind the user that the Shell item has been modified, just click " Click the "Yes" button to repair it
Then the user will be reminded that the Userinit item has been modified, and also click the "Yes" button to repair it. Then select 4 and 2009 in the list and click the "Delete" button to clear these two startup items. Finally, click "System Repair→Advanced Repair" and then click "Automatic Repair" to restore the system damaged by the virus.
Step 3: Put the Windows PE CD into the CD-ROM drive, then restart and enter the Windows PE system. Through the resource manager, copy the userinit.exe file copied from other systems to the System32 directory of the system, so that system files damaged by the virus can be repaired (Figure 5). In addition, select and delete all virus files disguised as folders in the root directory of each disk, as well as lotto.exe and Autorun.inf, to completely eliminate this singing virus.
1. The virus spreads through U disk
2. Release to HKCU and HKLM, one Run startup item each to stick to each other
3. Modify the system shell and userinit Virus files released by the key-value startup itself
4. Disable the Registry Editor and Task Manager, and log off the system when the user tries to run these two tools
5 . Tampered with the Exe file association, associated it with the self-released file, and at the same time modified the following file associations to be associated with the exefile, which is equivalent to being associated with the virus.
Modify the association list as follows: exe, com, pif, reg, bat, scr, vbs, js, cmd
6 Release the random driver in the temporary directory
7. Soon after the computer is turned on, the motherboard of the chassis begins to "sing"...