Win7 system uses the network share to appear 1061 error solution

Recently, a friend can not enable shared access when starting network sharing under windows7 system, the system prompts error 1061, that is, the service cannot accept control information at this time, this What is going on? What should I do? In fact, the main reason for this problem is caused by the hazard of the worm in the system. For details, please see the following introduction.

Analysis reason:

Virus name: worm Win32.Luder.I

Other names: W32/Dref-U (Sophos), Win32/Luder.I!Worm , W32.Mixor.Q@mm (Symantec), W32/Nuwar@MM (McAfee), W32/Tibs.RA (F-Secure), Trojan-Downloader.Win32.Tibs.jy (Kaspersky)

Virus Attributes: Worm

Hazard: Medium Hazard

Popularity: High

Specific:

Virus Features:

Win32/Luder.I is a worm that spreads via email and is hosted in PE files and RAR files for propagation. In addition, it also generates a Trojan to download and run other malicious programs. It is a Win32 executable that is 17,559 bytes in size.

Infection mode:

At runtime, copy Win32/Luder.I to %System%ppl.exe and set the file property to hidden. Then, modify the following registry key to ensure that this copy is run every time the system boots: HKLMSoftwareMicrosoft WindowsCurrentVersionRunagent = “%System%ppl.exe. .  quo;HKCUSoftwareMicrosoftWindowsCurrentVersionRun agent = “%System%ppl.exe. . ”

Note: ‘%System%’ is a mutable path. The virus determines the location of the current system folder by querying the operating system. The default system installation path for Windows 2000 and NT is C:WinntSystem32; 95,98 and ME are C:WindowsSystem; XP is C:WindowsSystem32.

Luder also generates and runs a file with an arbitrary name and detects the Win32/Sinteri!downloader Trojan. The worm also generates “kkk33ewrrt” mutexes to ensure that only one copy runs at a time.

Mode of Propagation:

Send a virus by mailing the worm from the local system to get the email address. It looks up the email address in the Windows Address Book via the following registry key: HKCUSoftwareMicrosoftWABWAB4Wab File Name Next, search for the file with the following extension from the ‘Z:’ to ‘C:’ drive:

rar

scr

exe

htm

txt

ht

a worm performs DNS MX ( Mail exchanger) Query, find the appropriate mail server for each domain to send the virus. It uses a locally configured default DNS server to perform these queries.

Luder.I attempts to send an email to each email address it collects. The worm sends a message with the following characteristics:

Sender address:

The worm uses an arbitrary name (selected from a list that comes with the worm) with an arbitrary number, and accepts the target. The domain name is combined to generate a fake recipient address, for example: [email protected].

The topic might be: Happy New Year!

Attachment name: postcard.exe

Infected by file-PE file Luder.I found one with “exe&rdquo ; or “scr” extension files, use the "random name".t file name to copy the virus to the directory where the file is located, and set it as a hidden file.

Note: "random name" consists of 8 lowercase letters. For example: “vrstmkgk.t”.

Luder.I checks the PE header of the file to see if there is enough space to run and insert a code in the middle. In addition, it does not infect infected DLLs or executables. If it is run, it first runs the relevant "random name".t. Luder.I writes 666 as a flag in the timestamp of the PE header of the infected file to avoid re-infecting the same file.

Note: The generated "random name".t file will not be modified by Luder.I even if it does not meet all the conditions of the infection.

Infecting a file with a file-RAR file

Luder.I adds "random filename".exe to each discovered RAR file, where "random filename" is 7 letters and numbers. For example, “dnoCV18.exe”. Whenever Luder.I runs, the document may be infected multiple times.

Hazard:

Download and run any file Luder.I generates a file to download other malicious programs to the infected machine. Downloaded files include Win32/Sinteri, Win32/Sinray, Win32/Sinhar and Win32/Luder variants.

Terminating a Process

Every 4 seconds, if the Registry Editor (regedit.exe) and other processes whose names contain the following string (displayed in the Windows Title Bar) are running, Luder.I will try to terminate the registry editor and these processes: anti

viru

troja

avp

nav

Rav

reged

nod32

spybot

zonea

vsmon

avg

blackice

firewall

msconfig

lockdown

f-pro

hijack

taskmgr

Mcafee

Modify System Settings

Luder.I modifies the following registry key values ​​to make Windows Firewall/Internet Connection Sharing (ICS) also known as <Internet Connection Firewall ( ICF) /Internet Connection Sharing (ICS) & rdquo;) service failure: HKLMSYSTEMCurrentControlSetServicesSharedAccessStart = 4

Clear:

KILL Security Armor InoculateIT 23.73.102, Vet 30.3 The .3288 version detects/clears this virus.

kill version:

Fix the wrong method:

Enter the registry to find the following key value changed to 4 to fix the internet share problem. Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices SharedAccess]“Start”=dword:00000004

Many friends encountered a system prompt error 1061 when enabling network share access under windows7 system. The main reason is that the system is suffering from a virus attack. Only when the user has mastered the properties and hazards of the virus can the virus be further cleared and the problem solved.