Recently, when a friend started network sharing under windows7 system, shared access could not be enabled normally. The system prompts error 1061, that is, the service cannot accept control information at this time. What is going on? What should I do? Actually this happens. The main reason for the problem is caused by the hazard of the worm in the system. For details, please refer to the following introduction.
Analytical reasons:
Viral name: worm Win32.Luder.I
Other names: W32/Dref-U (Sophos), Win32/Luder.I!Worm, W32.Mixor.Q @mm (Symantec), W32/Nuwar@MM (McAfee), W32/Tibs.RA (F-Secure), Trojan-Downloader.Win32.Tibs.jy (Kaspersky)
Virus Attributes: worm
Hazard Sex: Medium Hazard
Popularity: High
Specific introduction:
Virus characteristics:
Win32/Luder.I is a worm spread by mail and stored in PE files and RAR files. propagation. In addition, it also generates a Trojan to download and run other malicious programs. It is a Win32 executable that is 17,559 bytes in size.
Infection mode:
When running, copy Win32/Luder.I to %System%ppl.exe and set the file property to hidden. Then, modify the following registry key to ensure that this copy is run every time the system boots: HKLMSoftwareMicrosoftWindowsCurrentVersionRunagent = “%System%ppl.exe. . quo;HKCUSoftwareMicrosoftWindowsCurrentVersionRunagent = “%System%ppl.exe. . ”
Note: ‘%System%’ is a mutable path. The virus determines the location of the current system folder by querying the operating system. The default system installation path for Windows 2000 and NT is C:WinntSystem32; 95,98 and ME are C:WindowsSystem; XP is C:WindowsSystem32.
Luder also generates and runs a file with an arbitrary name and detects the Win32/Sinteri!downloader Trojan. The worm also generates “kkk33ewrrt” mutexes to ensure that only one copy runs at a time.
Communication method:
The worm sends mail through the mail system to send the virus from the local system. It looks up the email address in the Windows Address Book via the following registry key: HKCUSoftwareMicrosoftWABWAB4Wab File Name Next, search for the file with the following extension from ‘Z:’ to ‘C:’ drive:
rar
scr
exe
htm
txt
ht
a The worm performs a DNS MX (mail exchanger) query to find a suitable mail server for each domain to send viruses. It uses a locally configured default DNS server to perform these queries.
Luder.I try to send an email to each email address it collects. The worm sends a message with the following characteristics:
Send address:
The worm uses an arbitrary name (selected from a list that comes with the worm) with an arbitrary number, combined with the domain name of the target, to generate a forgery The recipient address, for example:
[email protected].
Themes may be: Happy New Year!
Accessory name: postcard.exe
Infected by file-PE file Luder.I found one with "extension" or "scr" Files, use the "random name".t file name to copy the virus to the directory where the file is located, and set it as a hidden file.
Note: "random name" consists of 8 lowercase letters. For example: “vrstmkgk.t”.
Luder.I Check the PE header of the file to see if there is enough space to run and insert a code in the middle. In addition, it does not infect infected DLLs or executables. If it is run, it first runs the relevant "random name".t. Luder.I writes 666 as a flag in the timestamp of the PE header of the infected file to avoid re-infecting the same file.
Note: The generated "random name".t file will not be modified by Luder.I even if it does not satisfy all the conditions of the infection.
Infecting through files - RAR files
Luder.I add "random filename".exe to each discovered RAR document, where "random filename" is 7 letters and numbers, for example "dnoCV18.exe" ; Whenever Luder.I runs, the document may be infected multiple times.
Hazard:
Download and run any file Luder.I generates a file to download other malicious programs to the infected machine. Downloaded files include Win32/Sinteri, Win32/Sinray, Win32/Sinhar and Win32/Luder variants.
Termination of the process
Every 4 seconds, if the registry editor (regedit.exe) and other processes whose names contain the following string (displayed in the Windows Title Bar) are running, Luder.I will try Terminate the Registry Editor and these processes: anti
viru
troja
avp
nav
rav
reged
nod32
spybot
zonea
vsmon
avg
blackice
firewall
msconfig
lockdown
f-pro
hijack
taskmgr
mcafee
Modify System Settings
Luder.I Modify the following registry key to invalidate the "Windows Firewall/Internet Connection Sharing (ICS)" (also known as "Internet Connection Firewall (ICF) /Internet Connection Sharing (ICS)") service: HKLMSYSTEMCurrentControlSetServicesSharedAccessStart = 4< Br>Clear:
KILL Security Armor InoculateIT 23.73.102, Vet 30.3.3288 version can detect/clear this virus.
kill version:
How to fix the error:
Enter the registry to find the following key value changed to 4 to fix the problem of internet sharing. Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess]“Start”=dword:00000004
A lot of friends encountered a system prompt error 1061 when enabling network share access under windows7 system, which is mainly caused by a system attack. Only when the user has mastered the properties and hazards of the virus can the virus be further cleared and the problem solved.