※機械翻訳なので、十分意味が伝わらない恐れが有ります。
※Since it is machine
translation, there is a possibility that a meaning may not be transmitted
enough.
我是日本人。我无法写中文。 至于翻訳: http://world.altavista.com/
나는 일본 사람 이다.나는 한국어를
쓸.번역:http://world.altavista.com/
First, please see
this.
『Kawaisosu@Wiki』(About the Yamada virus)
hhttp://www2.atwiki.jp/kawaisosu/pages/18.html
The
bulletin board of 2ch.
Please see a:http://tmp5.2ch.net/download/
『Yamada watch
thread』(Virus measure thread)
http://tmp5.2ch.net/test/read.cgi/download/1117616769/
【Condition】
If
infected, a http server will be started and it will change into the state
where the contents of an infected person's screen shot or the hard disk
can be referred to.
Moreover, it is going to write its remote host in a
bulletin board.
Furthermore, the name resolution to Microsoft or a
security vendor is blocked by rewriting a hosts file.
[Danger] It seems
that execution of commands arbitrary from the outside to an infected
person is enabled.
The writing to a bulletin board changes with
subspecies.
It seems that there is also a subspecies which it is going
to write in bulliten board service of JBBS etc. in inside although it is
most which it is going to write in bulliten board service of 2ch[http://www.2ch.net/].
What
carries out income of the host name is checked from that to which how to
expose a remote host also exposes those with two or more, an IP address,
and a computer name, the thing using fusianasan (*6), and the global
address.
It seems that the new species which passes through a trap also
appeared although it seems that measures are taken by the bulliten board
service of 2ch side now, and most writing by the virus was
prevented.
Moreover, as long as the TCP/IP protocol is being used,
there is an opportunity to carry out income of your IP address without
limit.
What exceeds the router corresponding to UPnP and the fire wall
of Windows XP attachment using UPnP depending on a seed is checked.
It
seems that moreover, there are some which cannot be accessed in http://127.0.0.1/.
If the
http server which the virus installed has a certain amount of access, an
error will be caused and it will be completed.
It is said that there is
also a thing used as youjo(blank).exe, rundll32.exe, and mdi.exe although
the file name of a virus main part has a thing in use used as
svchost.exe.
It seems that then, the folder of names, such as mellpon,
fusianasan, kawaisosu, and yamada, is made, and the list of all files in a
hard disk is placed in the bottom of the folder to which a virus exists at
the time of starting.
【Source of infection and Infection
route】
It is infected by downloading a file from P2P networks and rise
loaders, such as Share, and performing it.
It seems that the kind of
file is somehow judged by the icon and it performs with thinking that the
folder was opened in many cases.
It seems that it is hard to notice
having been infected in order that a virus might create the folder of a
same name and might install a real file into it at this time.
the time
of infection -- a virus main part -- %ProgramFiles% -- it copies to the
bottom of an inner random folder, and registry or start-up is rewritten so
that a virus may be performed at the time of Windows starting.
That a
hosts file is rewritten seems to be this timing somehow.
It seems that
C:\boot.ini is also rewritten.
In addition, a thing called the Yamada
subspecies Maker is also circulating and the alteration of that this
embeds and camouflages arbitrary pictures with a virus and the
contribution sentence to bulliten board service of 2ch is
attained.
【The check method】
The report store of
NYUIRUSUSURE exhibits the Yamada check tool.
http://blog.livedoor.jp/antiny_virus/
A website
is Japanese although it feels sorry.
When you have a look, please use
http://world.altavista.com/
Even when there
is doubt using this tool, the next check method is tried, and when OK, I
regard all as your feeling easy.
It will be infected, if http://127.0.0.1/is displayed
by the browser and things, such as ~ss.jpg and C.html, can be seen.
It
is infected even if its own screen is displayed by ttp:
//127.0.0.1/~ss.jpg.
When not visible by the upper link, since it may
be blocked by the virus, please display your host by the browser using a
proxy for a sense.
It may be infected, if a memo pad etc. opens the
file C:\Windows\system32\drivers\etc\hosts" and IP addresses other than
"127.0.0.1" are indicated.
Since the line which starts in "#" is
commented out, it is satisfactory.
The possibility of a virus is high,
when programs, such as svchost.exe (*11), rundll32.exe (*12), and mdi.exe,
are performed and there is it in addition to a standard place.
Don't
say since the program of the file name currently written in the top is not
performed, and don't feel easy.
If it can do, the process currently
performed one by one will be investigated, and if there is a thing without
a memory, let's try the lower extermination method.
However, since even
a thing required originally may be erased, please take a memorandum in
detail at the time of work to be able to return based on a setup.
The
number which has started the svchost process is various by
environment.
Moreover, although the method of judging by the user name
of a svchost process is effective for the moment, since moving by user
name called SYSTEM is also technically possible, he cannot feel
easy.
It becomes that it is more certain to pinpoint the place of the
process currently performed.
Software called SlightTaskManager is
convenient to investigate the process currently performed.
【The
extermination method】
If it can check, it will correct by the registry
editor.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+HKEY_LOCAL_MACHINE
+SOFTWARE
+Microsoft
+Windows
+CurrentVersion
+Run
It
will delete, if there is a part where the virus main part is
described.
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
+HKEY_CURRENT_USER
+Software
+Microsoft
+Windows
+CurrentVersion
+Run
It
will delete, if there is a part where the virus main part is
described.
Start -> all program -> start-up is seen, and
in an order from a top, a right-click -> property will be deleted from
start-up once again, if a display and its link place are
viruses.
A memo pad is opened, and it is made "all files", and
the kind of file is put into the column of a file name with
""C:\Windows\system32\drivers\etc\hosts" (*15)", and is opened.
If
there are things other than the line which starts in "#", and the line
"127.0.0.1 localhost", all are deleted and it overwrites.
If it
reboots and the action appropriate for the Yamada virus cannot be checked
after these operations, it is OK first.
If it checks that activity
of a virus has stopped, let's delete a virus main part the whole
folder.
We recommend you to work taking a memorandum so that an
important thing may not be deleted accidentally.
Probably, it will
be better to format all the hard disks that were being used by way of
precaution, and to reput in a system completely.
Cautions:
Please perform all acts in the range of your
responsibility.
【Prevention of damage】
An extension is
displayed.
The check of a hosts file
The form compatible defrosting
tool is used.
A router is introduced.
A fire wall is
introduced.
An antivirus is introduced.
OS is updated to the
newest.
The icon is changed from the standard thing.
Html mail is
not opened.
It learns about the danger of the Internet.
【The
origin of a name】
With Mr. Yamada's message, sent youjo.exe was
referred to as having been stepped on and infected,
and was written in,
and the Yamada virus and the name were attached
more.
Then, it prays safely that it is
solvable.
Translation software is used. I'm sorry [ place / where a
meaning does not pass
]
#この文書は転載可です、ご利用は自己責任と言う事でお願い致します。
お持ち帰り用のファイルです。
http://www.interq.or.jp/www1/kuwasan/AbouttheYamadavirus.htm
#内容はこのスレッドをHTLにしてリンクをはずしただけです。