|
About the Yamada virus(山田ウィルスとは)
※機械翻訳なので、十分意味が伝わらない恐れが有ります。
※Since it is machine
translation, there is a possibility that a meaning may not be
transmitted enough.
我是日本人。我无法写中文。 至于翻訳: http://world.altavista.com/
나는 일본 사람 이다.나는 한국어를
쓸.번역:http://world.altavista.com/
First, please
see this.
『Kawaisosu@Wiki』(About the Yamada
virus)
http://www2.atwiki.jp/kawaisosu/pages/18.html
The
bulletin board of 2ch.
Please see a:http://tmp5.2ch.net/download/
『Yamada watch
thread』(Virus measure thread)
http://tmp5.2ch.net/test/read.cgi/download/1117616769/
【Condition】
If
infected, a http server will be started and it will change into the
state where the contents of an infected person's screen shot or the hard
disk can be referred to.
Moreover, it is going to write its remote
host in a bulletin board.
Furthermore, the name resolution to
Microsoft or a security vendor is blocked by rewriting a hosts
file.
[Danger] It seems that execution of commands arbitrary from the
outside to an infected person is enabled.
The writing to a bulletin
board changes with subspecies.
It seems that there is also a
subspecies which it is going to write in bulliten board service of JBBS
etc. in inside although it is most which it is going to write in
bulliten board service of 2ch[http://www.2ch.net/].
What carries out income of
the host name is checked from that to which how to expose a remote host
also exposes those with two or more, an IP address, and a computer name,
the thing using fusianasan (*6), and the global address.
It seems
that the new species which passes through a trap also appeared although
it seems that measures are taken by the bulliten board service of 2ch
side now, and most writing by the virus was prevented.
Moreover, as
long as the TCP/IP protocol is being used, there is an opportunity to
carry out income of your IP address without limit.
What exceeds the
router corresponding to UPnP and the fire wall of Windows XP attachment
using UPnP depending on a seed is checked.
It seems that moreover,
there are some which cannot be accessed in http://127.0.0.1/.
If the http server which the
virus installed has a certain amount of access, an error will be caused
and it will be completed.
It is said that there is also a thing used
as youjo(blank).exe, rundll32.exe, and mdi.exe although the file name of
a virus main part has a thing in use used as svchost.exe.
It seems
that then, the folder of names, such as mellpon, fusianasan, kawaisosu,
and yamada, is made, and the list of all files in a hard disk is placed
in the bottom of the folder to which a virus exists at the time of
starting.
【Source of infection and Infection route】
It is
infected by downloading a file from P2P networks and rise loaders, such
as Share, and performing it.
It seems that the kind of file is
somehow judged by the icon and it performs with thinking that the folder
was opened in many cases.
It seems that it is hard to notice having
been infected in order that a virus might create the folder of a same
name and might install a real file into it at this time.
the time of
infection -- a virus main part -- %ProgramFiles% -- it copies to the
bottom of an inner random folder, and registry or start-up is rewritten
so that a virus may be performed at the time of Windows
starting.
That a hosts file is rewritten seems to be this timing
somehow.
It seems that C:\boot.ini is also rewritten.
In addition,
a thing called the Yamada subspecies Maker is also circulating and the
alteration of that this embeds and camouflages arbitrary pictures with a
virus and the contribution sentence to bulliten board service of 2ch is
attained.
【The check method】
The report store of
NYUIRUSUSURE exhibits the Yamada check tool.
http://blog.livedoor.jp/antiny_virus/
A website
is Japanese although it feels sorry.
When you have a look, please
use http://world.altavista.com/
Even when there
is doubt using this tool, the next check method is tried, and when OK, I
regard all as your feeling easy.
It will be infected, if http://127.0.0.1/is
displayed by the browser and things, such as ~ss.jpg and C.html, can be
seen.
It is infected even if its own screen is displayed by http:
//127.0.0.1/~ss.jpg.
When not visible by the upper link, since it may
be blocked by the virus, please display your host by the browser using a
proxy for a sense.
It may be infected, if a memo pad etc. opens the
file C:\Windows\system32\drivers\etc\hosts" and IP addresses other than
"127.0.0.1" are indicated.
Since the line which starts in "#" is
commented out, it is satisfactory.
The possibility of a virus is
high, when programs, such as svchost.exe (*11), rundll32.exe (*12), and
mdi.exe, are performed and there is it in addition to a standard
place.
Don't say since the program of the file name currently written
in the top is not performed, and don't feel easy.
If it can do, the
process currently performed one by one will be investigated, and if
there is a thing without a memory, let's try the lower extermination
method.
However, since even a thing required originally may be
erased, please take a memorandum in detail at the time of work to be
able to return based on a setup.
The number which has started the
svchost process is various by environment.
Moreover, although the
method of judging by the user name of a svchost process is effective for
the moment, since moving by user name called SYSTEM is also technically
possible, he cannot feel easy.
It becomes that it is more certain to
pinpoint the place of the process currently performed.
Software
called SlightTaskManager is convenient to investigate the process
currently performed.
【The extermination method】
If it can
check, it will correct by the registry
editor.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+HKEY_LOCAL_MACHINE
+SOFTWARE
+Microsoft
+Windows
+CurrentVersion
+Run
It
will delete, if there is a part where the virus main part is
described.
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
+HKEY_CURRENT_USER
+Software
+Microsoft
+Windows
+CurrentVersion
+Run
It
will delete, if there is a part where the virus main part is
described.
Start -> all program -> start-up is seen,
and in an order from a top, a right-click -> property will be deleted
from start-up once again, if a display and its link place are
viruses.
A memo pad is opened, and it is made "all files",
and the kind of file is put into the column of a file name with
""C:\Windows\system32\drivers\etc\hosts" (*15)", and is opened.
If
there are things other than the line which starts in "#", and the line
"127.0.0.1 localhost", all are deleted and it overwrites.
If it
reboots and the action appropriate for the Yamada virus cannot be
checked after these operations, it is OK first.
If it checks that
activity of a virus has stopped, let's delete a virus main part the
whole folder.
We recommend you to work taking a memorandum so
that an important thing may not be deleted
accidentally.
Probably, it will be better to format all the hard
disks that were being used by way of precaution, and to reput in a
system completely.
Cautions: Please perform all acts in the
range of your responsibility.
【Prevention of damage】
An
extension is displayed.
The check of a hosts file
The form
compatible defrosting tool is used.
A router is introduced.
A fire
wall is introduced.
An antivirus is introduced.
OS is updated to
the newest.
The icon is changed from the standard thing.
Html mail
is not opened.
It learns about the danger of the
Internet.
【The origin of a name】
With Mr. Yamada's
message, sent youjo.exe was referred to as having been stepped on and
infected,
and was written in, and the Yamada virus and the name were
attached more.
Then, it prays safely that it is
solvable.
Translation software is used. I'm sorry [ place / where a
meaning does not pass
]
#この文書は改編、転載可です、ご利用は自己責任と言う事でお願い致します。< |