Началось все с компа друга. Способ распространения — скорее всего : СЕТЬ.
Симптомы :
- не загружается в безопасном режиме
- периодические «синие экраны смерти» (bluescreen)
- периодическое увеличение сетевого траффика
- зависание страниц сетевого браузеров
- зависание компьютера
- отключение антивирусов
- блокирование обновлений антивирусных программ
Описание.
Это только из того , что нашел я. Вот некоторые описания с других форумов :
Virus.Win32.Sality.v
Алиасы
Win32/Sality.AB (NOD32v2)
Virus:Win32/Sality.AH (Microsoft)
W32.Sality.AB (Symantec)
W32/Kashu.A (AntiVir)
W32/Sality-AM (Sophos)
W32/Sality.ad (McAfee)
W32/Sality.AE (F-Prot)
Win32.Kashu.A (BitDefender)
Win32.Sector.4 (DrWeb)
Win32/Kashu (AhnLab-V3)
Win32/Sality.V (eTrust-Vet)Описание
Файловый вирус. Распространяется путем заражения исполняемых файлов (.exe и .scr). Пытается загрузить вредоносные файлы через Интернет.Внешние проявления (со слов пользователей)
Компьютер не может загрузится в Безопасном режиме.
Работа антивирусов нарушается, антивирусы удаляются.
Вот полностью правильное описание :
Discovered: April 20, 2008
Updated: August 10, 2008 11:06:05 AM
Also Known As: TROJ_AGENT.XOO [Trend], W32/Sality.ae [McAfee], Sality.AG [Panda Software], Win32/Sality.Z [Computer Associates], Win32/Sality.AA [Computer Associates], W32/Sality.AA [F-Secure]
Type: Virus
Infection Length: 57,344 bytes
Systems Affected: Windows 2000, Windows NT, Windows XP
When the virus is executed, it copies itself as the following file:
%System%\drivers\[RANDOM NAME].sys
The virus creates the following mutex so only one instance of the virus is running:
Op1mutx9
It then creates the following registry subkeys:
* HKEY_CURRENT_USER\Software\[USER NAME]914
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVERIt then creates the following registry entry so that it bypasses the Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\»[INFECTED FILE]» = «[INFECTED FILE]:*:Enabled:ipsec»It modifies the following registry entries:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\»GlobalUserOffline» = «0»
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\»EnableLUA» = «0»The virus also deletes entries under the following registry subkeys:
* HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
It then registers itself as a new service with the following characteristics:
Service Name: WMI_MFC_TPSHOKER_80
Display Name: WMI_MFC_TPSHOKER_80
Startup Type: Automatic
It then deletes the following file:
%System%\drivers\[RANDOM NAME].sys
It stops the following services:
* ALG
* aswUpdSv
* avast! Antivirus
* avast! Mail Scanner
* avast! Web Scanner
* AVP
* BackWeb Plug-in — 4476822
* bdss
* BGLiveSvc
* BlackICE
* CAISafe
* ccEvtMgr
* ccProxy
* ccSetMgr
* F-Prot Antivirus Update Monitor
* fsbwsys
* FSDFWD
* F-Secure Gatekeeper Handler Starter
* fshttps
* FSMA
* InoRPC
* InoRT
* InoTask
* ISSVC
* KPF4
* LavasoftFirewall
* LIVESRV
* McAfeeFramework
* McShield
* McTaskManager
* navapsvc
* NOD32krn
* NPFMntor
* NSCService
* Outpost Firewall main module
* OutpostFirewall
* PAVFIRES
* PAVFNSVR
* PavProt
* PavPrSrv
* PAVSRV
* PcCtlCom
* PersonalFirewal
* PREVSRV
* ProtoPort Firewall service
* PSIMSVC
* RapApp
* SmcService
* SNDSrvc
* SPBBCSvc
* Symantec Core LC
* Tmntsrv
* TmPfw
* tmproxy
* UmxAgent
* UmxCfg
* UmxLU
* UmxPol
* vsmon
* VSSERV
* WebrootDesktopFirewallDataService
* WebrootFirewall
* XCOMM
It infects all executable files listed under the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
It infects all .exe executable files listed under the following registry subkeys:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also infects all .exe and .scr files on the C drive and on any writable network resource, except the files on any folder with the following strings:
* SYSTEM
* AHEAD
The infected file size will increase 57,344 bytes.
It deletes any file whose name contains any of the following strings:
* .VDB
* .AVC
* .KEY
* drw
* _AVPM
* A2GUARD
* AAVSHIELD
* AVAST
* ADVCHK
* AHNSD
* AIRDEFENSE
* ALERTSVC
* ALMON
* ALOGSERV
* ALSVC
* AMON
* ANTI-TROJAN
* AVZ
* ANTIVIR
* ANTS
* APVXDWIN
* ARMOR2NET
* ASHAVAST
* ASHDISP
* ASHENHCD
* ASHMAISV
* ASHPOPWZ
* ASHSERV
* ASHSIMPL
* ASHSKPCK
* ASHWEBSV
* ASWUPDSV
* ATCON
* ATUPDATER
* ATWATCH
* AUPDATE
* AUTODOWN
* AUTOTRACE
* AUTOUPDATE
* AVCIMAN
* AVCONSOL
* AVENGINE
* AVGAMSVR
* AVGCC
* AVGCC32
* AVGCTRL
* AVGEMC
* AVGFWSRV
* AVGNT
* AVGNTDD
* AVGNTMGR
* AVGSERV
* AVGUARD
* AVGUPSVC
* AVINITNT
* AVKSERV
* AVKSERVICE
* AVKWCTL
* AVP
* AVP32
* AVPCC
* AVPM
* AVPUPD
* AVSCHED32
* AVSYNMGR
* AVWUPD32
* AVWUPSRV
* AVXMONITOR9X
* AVXMONITORNT
* AVXQUAR
* BACKWEB-4476822
* BDMCON
* BDNEWS
* BDOESRV
* BDSS
* BDSUBMIT
* BDSWITCH
* BLACKD
* BLACKICE
* CAFIX
* CCAPP
* CCEVTMGR
* CCPROXY
* CCSETMGR
* CFIAUDIT
* CLAMTRAY
* CLAMWIN
* CLAW95
* CLAW95CF
* CLEANER
* CLEANER3
* CLISVC
* CMGRDIAN
* CUREIT
* DEFWATCH
* DOORS
* DRVIRUS
* DRWADINS
* DRWEB32W
* DRWEBSCD
* DRWEBUPW
* ESCANH95
* ESCANHNT
* EWIDOCTRL
* EZANTIVIRUSREGISTRATIONCHECK
* F-AGNT95
* FAMEH32
* FAST
* FCH32
* FILEMON
* FIRESVC
* FIRETRAY
* FIREWALL
* FPAVUPDM
* F-PROT95
* FRESHCLAM
* FRW
* FSAV32
* FSAVGUI
* FSBWSYS
* F-SCHED
* FSDFWD
* FSGK32
* FSGK32ST
* FSGUIEXE
* FSM32
* FSMA32
* FSMB32
* FSPEX.
* FSSM32
* F-STOPW
* GCASDTSERV
* GCASSERV
* GIANTANTISPYWAREMAIN
* GIANTANTISPYWAREUPDATER
* GUARDGUI
* GUARDNT
* HREGMON
* HRRES
* HSOCKPE
* HUPDATE
* IAMAPP
* IAMSERV
* ICLOAD95
* ICLOADNT
* ICMON
* ICSSUPPNT
* ICSUPP95
* ICSUPPNT
* IFACE
* INETUPD
* INOCIT
* INORPC
* INORT
* INOTASK
* INOUPTNG
* IOMON98
* ISAFE
* ISATRAY
* ISRV95
* ISSVC
* KAV
* KAVMM
* KAVPF
* KAVPFW
* KAVSTART
* KAVSVC
* KAVSVCUI
* KMAILMON
* KPFWSVC
* KWATCH
* LOCKDOWN2000
* LOGWATNT
* LUALL
* LUCOMSERVER
* LUUPDATE
* MCAGENT
* MCMNHDLR
* MCREGWIZ
* MCUPDATE
* MCVSSHLD
* MINILOG
* MYAGTSVC
* MYAGTTRY
* NAVAPSVC
* NAVAPW32
* NAVLU32
* NAVW32
* NOD32
* NEOWATCHLOG
* NEOWATCHTRAY
* NISSERV
* NISUM
* NMAIN
* NOD32
* NORMIST
* NOTSTART
* NPAVTRAY
* NPFMNTOR
* NPFMSG
* NPROTECT
* NSCHED32
* NSMDTR
* NSSSERV
* NSSTRAY
* NTRTSCAN
* NTXCONFIG
* NUPGRADE
* NVC95
* NVCOD
* NVCTE
* NVCUT
* NWSERVICE
* OFCPFWSVC
* OUTPOST
* PAV
* PAVFIRES
* PAVFNSVR
* PAVKRE
* PAVPROT
* PAVPROXY
* PAVPRSRV
* PAVSRV51
* PAVSS
* PCCGUIDE
* PCCIOMON
* PCCNTMON
* PCCPFW
* PCCTLCOM
* PCTAV
* PERSFW
* PERTSK
* PERVAC
* PNMSRV
* POP3TRAP
* POPROXY
* PREVSRV
* PSIMSVC
* QHM32
* QHONLINE
* QHONSVC
* QHPF
* QHWSCSVC
* RAVMON
* RAVTIMER
* REALMON
* REALMON95
* RFWMAIN
* RTVSCAN
* RTVSCN95
* RULAUNCH
* SAVADMINSERVICE
* SAVMAIN
* SAVPROGRESS
* SAVSCAN
* SCAN32
* SCANNINGPROCESS
* CUREIT
* SDHELP
* SHSTAT
* SITECLI
* SPBBCSVC
* SPHINX
* SPIDERML
* SPIDERNT
* SPIDERUI
* SPYBOTSD
* SPYXX
* SS3EDIT
* STOPSIGNAV
* SWAGENT
* SWDOCTOR
* SWNETSUP
* SYMLCSVC
* SYMPROXYSVC
* SYMSPORT
* SYMWSC
* SYNMGR
* TAUMON
* TBMON
* TC
* TCA
* TCM
* TDS-3
* TEATIMER
* TFAK
* THAV
* THSM
* TMAS
* TMLISTEN
* TMNTSRV
* TMPFW
* TMPROXY
* TNBUTIL
* TRJSCAN
* UP2DATE
* VBA32ECM
* VBA32IFS
* VBA32LDR
* VBA32PP3
* VBSNTW
* VCHK
* VCRMON
* VETTRAY
* VIRUSKEEPER
* VPTRAY
* VRFWSVC
* VRMONNT
* VRMONSVC
* VRRW32
* VSECOMR
* VSHWIN32
* VSMON
* VSSERV
* VSSTAT
* WATCHDOG
* WEBPROXY
* WEBSCANX
* WEBTRAP
* WGFE95
* WINAW32
* WINROUTE
* WINSS
* WINSSNOTIFY
* WRADMIN
* WRCTRL
* XCOMMSVR
* ZATUTOR
* ZAUINST
* ZLCLIENT
* ZONEALARM
It connects to the following URLs to get instructions. The instructions contain additional URLs to possibly download other malicious files:
* [http://]pedmeo222nb.info
* [http://]pzrk.ru
* [http://]technican.w.interia.pl
* [http://]www.kjwre9fqwieluoi.info
* [http://]bpowqbvcfds677.info
* [http://]bmakemegood24.com
* [http://]bperfectchoice1.com
* [http://]bcash-ddt.net
* [http://]bddr-cash.net
* [http://]btrn-cash.net
* [http://]bmoney-frn.net
* [http://]bclr-cash.net
* [http://]bxxxl-cash.net
* [http://]balsfhkewo7i487fksd.info
* [http://]buynvf96.info
* [http://]89.119.67.154/tes[REMOVED]
* [http://]oceaninfo.co.kr/picas[REMOVED]
* [http://]kukutrustnet777.info/home[REMOVED]
* [http://]kukutrustnet888.info/home[REMOVED]
* [http://]kukutrustnet987.info/home[REMOVED]
* [http://]kukutrustnet777.info
* [http://]www.kjwre9fqwieluoi.info
* [http://]kjwre77638dfqwieuoi.info
It prevents access to various security-related domains containing any of the following strings:
* Cureit
* Drweb
* Onlinescan
* Spywareinfo
* Ewido
* Virusscan
* Windowsecurity
* Spywareguide
* Bitdefender
* Panda software
* Agnmitum
* Virustotal
* Sophos
* Trend Micro
* Etrust.com
* Symantec
* McAfee
* F-Secure
* Eset.com
* Kaspersky
It adds the following entry to %Windir%\system.ini:
[MCIDRV_VER]
It then copies itself to attached removable drives using the following filenames:
%DriveLetter%:\[RANDOM NAME].exe
%DriveLetter%:\[RANDOM NAME].cmd
%DriveLetter%:\[RANDOM NAME].pif
The following file is created on attached removable drives so that the threat runs whenever the drive is connected to a computer:
%DriveLetter%:\autorun.inf
Лечение.
Большинство сайтов указывают что Cure.It лечит без проблем, но в моем случае все исполняемые файлы системы оказались «неизлечимыми».
- -загрузится с LiveCD дистрибутива и просканировать CureIt или любым другим антивирусником
- -чистка ключей реестра
- -полная переустановка системы
Ну, вот опять какую-то гадоссть написали, когда у тех кто пишет вирусы отпуск? Ребята, лето — всем на море, никаких вирусов!
Блин, проверяю комп пандой, думал, что не скачается. Другие антивирусы не качает. Ещё и 10 процентов не проверил, а файлы ВСЕ по алфавиту заражены ((((
Всегда проверяйте флешки, которые вставляете в комп!
Я у себя тоже нашёл кучу такого вируса при сканировании DrWeb 4.44. Файлов *.exe было так много, что я подумал, что это глюк какой-то… полез в инет читать… А тут такое! Вот ведь блин, офигеть можно…. засада. Ох…ть. Завтра будем разбираться.
Вирус серьёзный, неделю искал способ борьбы с ним, а оказалось всё гораздо проще. Помог Norton 360. Кому интересно как мы с Norton 360 победили эту заразу, читайте здесь
Your enticle helped me a lot, is there any more related content? Thanks!
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
Your article helped me a lot, is there any more related content? Thanks!
Getting it retaliation, like a neighbourly would should
So, how does Tencent’s AI benchmark work? Prime, an AI is confirmed a sharp reprove to account from a catalogue of support of 1,800 challenges, from edifice effect visualisations and царство завинтившемся возможностей apps to making interactive mini-games.
Finally the AI generates the pandect, ArtifactsBench gets to work. It automatically builds and runs the regulations in a procure and sandboxed environment.
To atop of how the note behaves, it captures a series of screenshots ended time. This allows it to unusual in due to the justly that things like animations, conditions changes after a button click, and other unmistakeable cure-all feedback.
In the termination, it hands settled all this evince – the logical importune, the AI’s encrypt, and the screenshots – to a Multimodal LLM (MLLM), to feigning as a judge.
This MLLM authorization isn’t honourable giving a inexplicit философема and preferably uses a particularized, per-task checklist to commencement the conclude across ten conflicting metrics. Scoring includes functionality, restaurateur g-man preference question, and frequenter aesthetic quality. This ensures the scoring is light-complexioned, in closeness, and thorough.
The eminent aptness is, does this automated reviewer really have the capacity for joyous taste? The results proffer it does.
When the rankings from ArtifactsBench were compared to WebDev Arena, the gold-standard adherents crease where utter humans group upon on the finest AI creations, they matched up with a 94.4% consistency. This is a beast vigorous from older automated benchmarks, which not managed in all directions from 69.4% consistency.
On nadir of this, the framework’s judgments showed greater than 90% concord with at the ready tender-hearted developers.
Can you be more specific about the content of your article? After reading it, I still have some doubts. Hope you can help me.