Win7 set up a network share to solve the 1061 error?

When Windows 7 system setup starts network sharing, many users will be surprised to find that they are starting normally. The corresponding system will display an error message with code 1061, which means that the system cannot accept its control information when running the service. In fact, the biggest reason is because your Win7 system has a virus, a virus caused by a worm. So what should we do to remove the virus from this child? The specific steps are as follows:

Analysis reason:

Virus name: worm Win32.Luder.I

Other names: W32/Dref-U (Sophos), Win32/Luder.I!Worm, W32.Mixor.Q@mm (Symantec), W32/Nuwar@MM (McAfee), W32/Tibs.RA (F-Secure ), Trojan-Downloader.Win32.Tibs.jy (Kaspersky)

Virus Attributes: Worm

Hazard: Medium Hazard

Popularity: High

Specific introduction:

Virus characteristics:

Win32/Luder.I is a kind of worm spread by mail and stored in PE files and RAR files for dissemination. In addition, it also generates a Trojan to download and run other malicious programs. It is a Win32 executable that is 17,559 bytes in size.

Infection mode:

At runtime, copy Win32/Luder.I to %System%ppl.exe and set the file property to hidden. Then, modify the following registry key to ensure that this copy is run every time the system boots: HKLMSoftwareMicrosoft WindowsCurrentVersionRunagent = “%System%ppl.exe. .  quo;HKCUSoftwareMicrosoftWindowsCurrentVersionRun agent = “%System%ppl.exe. . ”

Note: ‘%System%’ is a mutable path. The virus determines the location of the current system folder by querying the operating system. The default system installation path for Windows 2000 and NT is C:WinntSystem32; 95,98 and ME are C:WindowsSystem; XP is C:WindowsSystem32.

Luder also generates and runs a file with an arbitrary name and detects the Win32/Sinteri!downloader Trojan. The worm also generates “kkk33ewrrt” mutexes to ensure that only one copy runs at a time.

Mode of Propagation:

Send a virus by mailing the worm from the local system to get the email address. It looks up the email address in the Windows Address Book via the following registry key: HKCUSoftwareMicrosoftWABWAB4Wab File Name Next, search for the file with the following extension from the ‘Z:’ to ‘C:’ drive:

rar

scr

exe

htm

txt

ht

a worm performs DNS MX ( Mail exchanger) Query, find the appropriate mail server for each domain to send the virus. It uses a locally configured default DNS server to perform these queries.

Luder.I attempts to send an email to each email address it collects. The worm sends a message with the following characteristics:

Sender address:

The worm uses an arbitrary name (selected from a list that comes with the worm) with an arbitrary number, and accepts the target. The domain name is combined to generate a fake recipient address, for example: [email protected].

The topic might be: Happy New Year!

Attachment name: postcard.exe

Infected by file-PE file Luder.I found one with “exe&rdquo ; or “scr” extension files, use the "random name".t file name to copy the virus to the directory where the file is located, and set it as a hidden file.

Note: "random name" consists of 8 lowercase letters. For example: “vrstmkgk.t”.

Luder.I checks the PE header of the file to see if there is enough space to run and insert a code in the middle. In addition, it does not infect infected DLLs or executables. If it is run, it first runs the relevant "random name".t. Luder.I writes 666 as a flag in the timestamp of the PE header of the infected file to avoid re-infecting the same file.

Note: The generated "random name".t file will not be modified by Luder.I even if it does not satisfy all the conditions of the infection.

Infecting a file with a file-RAR file

Luder.I adds "random filename".exe to each discovered RAR file, where "random filename" is 7 letters and numbers. For example, “dnoCV18.exe”. Whenever Luder.I runs, the document may be infected multiple times.

Hazard:

Download and run any file Luder.I generates a file to download other malicious programs to the infected machine. Downloaded files include Win32/Sinteri, Win32/Sinray, Win32/Sinhar and Win32/Luder variants.

Terminating a Process

Every 4 seconds, if the Registry Editor (regedit.exe) and other processes whose names contain the following string (displayed in the Windows Title Bar) are running, Luder.I will try to terminate the registry editor and these processes: anti

viru

troja

avp

nav

Rav

reged

nod32

spybot

zonea

vsmon

avg

blackice

firewall

msconfig

lockdown

f-pro

hijack

taskmgr

Mcafee

Modify System Settings

Luder.I modifies the following registry key values ​​to make Windows Firewall/Internet Connection Sharing (ICS) also known as <Internet Connection Firewall ( ICF) /Internet Connection Sharing (ICS) & rdquo;) service failure: HKLMSYSTEMCurrentControlSetServicesSharedAccessStart = 4

Clear:

KILL Security Armor InoculateIT 23.73.102, Vet 30.3 The .3288 version detects/clears this virus.

kill version:

Fix the wrong method:

Enter the registry to find the following key value changed to 4 to fix the internet share problem. Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices SharedAccess]“Start”=dword:00000004

Through the above picture and text tutorial explanation, you can clearly understand the cause of the virus in the system, the hazard and The method of lifting. This is important for a sense of prevention in normal computer use, and timely virus attacks on computers.