There is a virus in QQ, and it always sends some unhealthy information automatically. What should I do?

The main characteristics of the virus

This virus is not spread by exploiting the vulnerability of QQ itself. In fact, it embeds malicious code in the homepage of a website, uses the vulnerability of iFrame system in IE to automatically run malicious Trojan, thus invading the user's system, and then sends spam via QQ. If the user's system does not install vulnerability patch or upgrade IE to the highest version, it will run malicious code embedded in the web pages they visit when visiting these websites, and then run a Trojan horse to enter the user's machine through the vulnerability of IE. Then, when users use QQ to send messages to friends, Troy will automatically insert an advertising word at the end of the message, usually one of the following sentences.

QQ received the following information:

1.HoHo~~ This stuff was just sent to me by my friend. If you don't watch it, you will regret it, hehe. Give it to your friends, too.

2. Hehe, actually, I think this website is really good. Have a look/

3. Would you like some rock and roll dance music? China DJ first stop, the website will tell you. Don't tell anyone ~ haha, it's really the best DJ site in China.

Help me see if this website can be opened.

5. Look at it. My recent photos were scanned online. See if I've changed.

Liquidation method

1. Enter MSconfig during operation. If there are two options of "Sendmess.exe" and "wwwo.exe" in the startup item, it will be banned. In C: \ Windows, there is a file named qq32. INI, which contains advertising words attached to QQ. Delete it. Enter DOS and delete the files "Sendmess.exe" and "wwwo.exe".

2. Install the system vulnerability patch

From the way the virus spreads, we know that the Trojan virus "QQ tail" is spread by using iFrame of IE. Even if the virus file is not executed, the virus can still be automatically executed through the vulnerability to achieve the purpose of infection. So dare to download the iFrame vulnerability patch of IE quickly.

IFrame vulnerability patch address

[2, QQ "edge" virus]

Virus characteristics:

The virus is written in VB language, compressed by ASPack and spread through QQ messages. After running, the default home page of IE will be changed to: mand, and the following key values will be modified: default = "C；; \cmd.exe % 1*"

B, add. Sys file, so that when browsing websites with viruses, execute the virus file b.sys: HKEY _ class _ root \ sysfile \ shell \ open \ command in the primary key of the registry, and modify the following key values: default = ""%1"%*".

C, add. Tmp file in registry primary key: HKEY _ class _ root \ tmpfile \ shell \ open \ commandModify the following key value: default = ""% 1 ""%* "

6. Try to steal the password of the legendary game and send it to the email address of "scmsmj@tom.com" in the name of "mj25257758@263.sina.com" through your own email engine.

7. In Win2000, WinXP and Win2003 systems, the system file "Rundll32. Exe "is in the system directory, so the virus will try to overwrite the file, but these systems can automatically protect and restore the damaged system files, so the virus can't be loaded normally, but it can still be loaded through EXE association.

Cleaning method:

A. turn off the "system restore" function of Windows Me, Windows XP and Windows 2003;

B. restart to safe mode;

C, rename regedit.exe to regedit.com first, then end the cmd.exe process with resource manager, then run regedit.com, modify the EXE association to ""%1" %* ",and then delete the following files: C:\cmd.exe,% Windows% \ Download program files \ b.exe. For Win9x system, delete %SystemRoot%\Rundll32.exe, and then go to the * * * hedonic directory to see if there are two files, "Virus killing. Exe "and" Jay Chou Concert. Exe ",the file size is 1 1 184 bytes. If there is, delete it.

D, clean up the registry:

Open the registry, delete the primary key HKEY _ class _ root \ sysfile \ shell \ open, HKEY _ class _ root \ tmpfile \ shell \ openModify the key value of HKEY _ class _ root \ exefile \ shell \ open \ command to "%1"%*.

Preventive measures:

Don't click on unknown links on QQ easily, and don't install plug-ins of unknown origin (such as the so-called "Animation Play Plug-in 2.0" on virus websites).

[4. "Wuhan boy" virus]

Virus characteristics:

This virus is a series of new variants of "Wuhan Boy". After the virus broke out, QQ chat tools will be used to spread it, and information including the website address will be sent to QQ users regularly to induce users to click. This webpage uses IE's OBJECT data vulnerability to download and run the virus by itself, which is caused by the data tag of Object in HTML. For the URL marked with data, IE will process the data according to the HTTP header returned by the server. If the URL type Content-Type returned in the HTTP header is Application/hta, the file specified by the URL can be executed regardless of the security level set by IE.

The obvious feature of this variant is that after the virus runs, it will not only send the same URL to QQ users regularly, but also take the opportunity to steal the account number, password and other information of the "Legend" game, and send it to password thieves in the form of mail, and will also end various antivirus software to protect itself from being cleared.

(1) If you click on the virus webpage, a picture of a beautiful woman will be displayed and an invisible window titled "asp Space" will pop up. This webpage uses IE vulnerability to download and run leoexe.gif and leo.asp file, in which leoexe.gif is not a picture file, but an exe virus, and leo.asp is the virus releaser.

(2) Once the virus runs, it will terminate most antivirus software, firewalls and some virus killing tools;

(3) Send messages to QQ users regularly.

(4) After running, the virus will copy itself to the system directory, with the file names of updater.exe, Systary.exe and sysnot.exe in the registry HKEY _ local _ machine \ software \ Microsoft \ Windows \ currentversion \ Add: "Windows Update" = "%InstallationDirectory% \ system \ updater.exe" in Run Services% is the installation directory of Windows system, and the performance of this target may be different under different systems, including: C: \ Windows; C:\winnt and so on.

(5) Modify the associated text file (*. Txt) and executable files directly point to the virus itself. If the user runs any txt file and exe file, the virus will be activated.

(6) The virus will search the computer for the account number, password and other information of the legendary game and send it to the designated e-mail.

Delete virus

1. Delete virus files released by viruses in the system directory.

2. Delete the key value generated by virus under the registry.

3. Run antivirus software to completely remove the virus.

[V. "Love Forest" Virus]

(A) virus characteristics

The original file name of this Trojan horse program is hack.exe, written by Delphi and compressed by UPX. Trojan horse programs will:

1. Copy yourself to the system directory of Windows operating system (usually windowssystem) and rename it Explorer.exe. Because it has the same name as the Explorer file in the Windows directory, it will confuse users and make them think it is a normal system file.

2. Modify the registry, and add the key value explorer = "%Windows System% explorer.exe" under HKEY _ local _ MachinesoftwareCrosoftWindowsCurentVersionRun, so that Trojan can run automatically after booting. (where% Windows System% is the system directory of Windows)

3. The website will also download update.exe files and execute the downloaded programs for other sabotage activities. The cleaning method (1) first opens the task manager, ends the resource manager process below, and then deletes the Explorer.exe Trojan horse in the system directory. Or restart to DOS and directly enter the system directory to delete Trojan. (2) Open the Registry Editor and delete the registry key named Explorer under HKEY _ Local _ Machine Software MachinesoftWarecrossoftWindows CurrentVersionRun. (2) Characteristics of variant 1 virus

After running, the virus will:

1. Copy two copies of yourself to the system directory of Windows (Win9x is generally Windowssystem, and WinNt is generally WinNtsystem32) and rename them to rundll.exe and sysedit32.exe respectively.

2. Modify the registry, and add the key value in tar net = "%Windows system% rundll.exe" under HKEY _ local _ MachineSoftwareCrosoftWindowsCurentVersionRun, so that Trojan can run automatically after booting (where% Windows system% is the system directory of Windows).

3. Modify the registry, and change the default key value of HKEY _ CLASSES _ ROOT XTXFIELOSHOLLOPENCOMAND to% %windowssystem%sysedit32.exe, and associate it with Notepad, so that when the user opens the TXT file, Trojan will have a chance to run.

4. Trojan will send "To Coremail System (with Anti-Spam) 2. 1" to other QQ users through QQ program, and another dialog box is "Unable to open file .mima.txt".

Liquidation method

(1) open the task manager and end the RUNDLL and SYSEDIT32 processes.

(2) Delete the files named RUNDLL.exe and sysedit32.exe (file size is 178 1752 bytes) under the system folder (Win9x is usually a Windows system, and WINNT is usually a WinNtsystem32).

(3) Open the Registry Editor and delete the registry key named in tar net =% Windows System% Rundll.exe under HKEY _ Local _ Machine Software Microsoft Windows CurrentVersionRun. The default key value for restoring HKEY _ class _ root ttxtFileShelopenCommand is Notepad% 1. (where% Windows System% is the system folder of Windows)

(4) If the file setup.txt or mima.txt exists in the root directory, delete it.

[6. "QQ girlfriend" virus]

Virus characteristics:

Using QQ to send attractive information leads users to be fooled. The virus sends some tempting new words and links to online friends, which makes users who don't know the truth fall for it.

1. Copy yourself to the system directory:

%SYSDIR%\internet.exe

%SYSDIR%\svch0st.exe

2. Modify the following tricks of registry key value virus self-startup >; ：

HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \Run

"Internet Consortium" = "Internet". EXE "

HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \Run

" S0undMan " = " % SYSDIR % \ SVCH0ST。 EXE "

3. After the virus runs, an HTTP server will be established to listen to TCP port 20808.

This function will respond to remote download requests and copy local virus files to remote machines.

4. Viruses search QQ chat software and send temptation information to online friends. The content is as follows:

"You are so beautiful, beautiful like a lyric poem. You are full of girlish innocence and youthful elegance.

What impressed me most was your clear eyes like a lake, and your long flashing eyelashes.

I like asking, caring and greeting.

Here's what you need:

Download address 1

"

" c:\ 123456.exe "

" c:\pass.exe "

" c:\game.exe "

" c:\my_photo.exe "

" c:\update.exe "

" c:\mp3.exe "

" c:\666666.exe "

These are the viruses themselves.

In view of the particularity of the virus, especially female QQ users, please don't be fooled when you see the above information.

Liquidation method

(1) Open the Task Manager to see if there is a process named INTERNET.EXE or SVCH0ST.EXE, and terminate it.

(2) Open the Registry Editor and delete the following key values:

HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \Run

"Internet Consortium" = "Internet". EXE "

HKEY _ local _ machine \ software \ Microsoft \ Windows \ current version \Run

" S0undMan " = " % SYSDIR % \ SVCH0ST。 EXE "

(3) Delete files in the %WINSYS% directory: SVCH0ST.EXE and SVCH0ST.EXE.

Note: the installation directory of %WINSYS% bit Windows system is C: \ Windows \ System by default under win9x, winme and winxp WinXP, and C:\WINNT\SYSTEM32 by default under Win2k.