PreviousNext
The following system changes may indicate the presence of Virus:Win32/Gnil.A:
Virus:Win32/Gnil.A is a virus that spreads by infecting files and by copying itself into removable drives.
What to do now
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (). For more information,
Threat behavior
Virus:Win32/Gnil.A is a virus that spreads by infecting files and by copying itself into removable drives.
Virus:Win32/Gnil.A drops itself as the file "spoclsv.exe" in the Windows system drivers folder.
It modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "svcshare"With data: "&system folder&\drivers\spoclsv.exe"To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Note - &system folder& refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
File Infection
Virus:Win32/Gnil.A infects script file with the following extensions:
It infects these types of files by appending an Iframe containing a link to a page in the site "". Infected script files are currently detected as .
Virus:Win32/Gnil.A also infects binary files with the following extensions:
It infects these types of files by prepending itself.
It avoid infecting files found in folders with names that contain the following strings:
Removable Drives
Virus:Win32/Gnil.A also propagates via removable drives (for example, USB FLash drives and portable hard disks) by copying itself as "setup.exe". It also drops the file "autorun.inf", which enables its copy to automatically run whenever the removable drives is accessed.
Network Shares
Virus:Win32/Gnil.A also propagates via network shares by dropping a copy of itself as "GameSetup.exe" in all network shares that have the folder "admin$". If the share is password-protected, it attempts to gain access by using certain strings as username and password, such as the following:
1234071101111235201111131320022003211226005150696977771234554321111111121212123123123456654321901100123456752013141234qwer123abc123asd123qweaaaabcabc123abcdadminadminadmin123administratorAdministratoralphaasdfbaseballccccomputerdatabaseenablefishgodgodblessyougolfGuestharleyhomeihavenopassletmeinloginLoginlovemustangmypassmypass123mypcmypc123ownerpasspasswdpasswordpatpatrickpussypw123pwdqq520qwerqwertyrootRootserversexshadowsupersybasetemptemp123testtest123winxxxyxcvzxcv
Modifies System Settings
Virus:Win32/Gnil.A performs the following changes to the system:
Downloads Arbitrary Files
Virus:Win32/Gnil.A downloads files, which may be additional malware, from the website "whboy.net".
Terminates Security Processes
Virus:Win32/Gnil.A terminates certain processes depending on their window title or their process name.
It terminates processes that have window titles containing the following strings:
It terminates processes that have the following names:
Deletes Registry Entries
Virus:Win32/Gnil.A deletes certain registry entries, some of which may be associated with security processes:
Under HKLM\SYSTEM\CurrentControlSet\Services:
AVPAVPccEvtMgrccProxyccSetMgrFireSvckavsvckavsvcKPfwSvcKVSrvXPKVSrvXPKVWSCKVWSCMcAfeeFrameworkMcAfeeFrameworkMcShieldMcShieldMcTaskManagerMcTaskManagerMskServicenavapsvcNPFMntorRsCCenterRsCCenterRsRavMonRsRavMonSNDSrvcSPBBCSvcSymantec Core LCwscsvc
Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
kavKAVPersonal50KvMonXPMcAfeeUpdaterUINetwork Associates Error Reporting ServiceRavTaskShStatEXEyassistseYLive.exe
Deletion of these entries may prevent the process from running properly.
Analysis by Francis Allan Tan Seng
Prevention
Follow:I want to...To search for descriptions, use quotation marks (" ") around your search phrase or the malware name that you are looking for.The malware encyclopedia contains descriptions for malware detected by Microsoft security products.Note: Your feedback is very important to us, however we do not respond to individual submissions through this channel.
If you require support, please visit thee8e3f4，鸽子！
AhnLab-V3.0-AntiVir7.6.0.5TR/Crypt.XPACK.GenAuthentium4.93.8-Avast4.7.1029.0Win32:Delf-DNRAVG7.5.0.485-BitDefender7.2Packer.Malware.VPacker.BCAT-QuickHeal9.00(Suspicious) - DNAScanClamAV0.91.2-DrWeb4.33-eSafe7.0.15.0suspicious Trojan/WormeTrust-Vet31.1.5114-Ewido4.0-FileAdvisor1-Fortinet3.11.0.0W95/FonoF-Prot4.3.2.48-F-Secure6.70.13030.0Backdoor.Win32.Hupigon.hjxIkarusT3.1.1.12MemScanBackdoor.Eggdrop.AIKaspersky4.0.2.24Backdoor.Win32.Hupigon.hjxMcAfee5113-Microsoft1.2803Worm:Win32/Emerleox.JNOD32v22509a variant of Win32/HupigonNorman5.80.02-Panda9.0.0.4Suspicious filePrevx1V2-Rising19.39.32.00Backdoor.Win32.Gpigeon.zylSophos4.21.0Mal/PackerSunbelt2.2.907.0VIPRE.SuspiciousSymantec10Backdoor.GraybirdTheHacker6.1.9.179-VBA323.12.2.4-VirusBuster4.3.26:9-Webwasher-Gateway6.0.1Trojan.Crypt.XPACK.Gen
结果: 找到 1 恶意软件
Backdoor.Win32.Hupigon.hjx (病毒)
C:\Documents and Settings\ssy\桌面\AutoRun.rar\qtsx.exe
TR/Crypt.XPACK.Gen
卡巴查杀了哈哈
本帖子中包含更多资源
才可以下载或查看，没有帐号？
Virus infection found
File which you are trying download contains virus. Loading has been interrupted.
Technical data:
Error name: Virus Alert
Virus description Packer.Malware.VPacker.B
Error code: -1602
Requested URL: /attachment.php?aid=124427
Requested HTTP method: GET
Requested ContentType: application/octet-stream
Starting the file scan:
Begin scan in 'C:\Documents and Settings\Administrator\桌面\AutoRun.rar'
C:\Documents and Settings\Administrator\桌面\AutoRun.rar
&&[0] Archive type: RAR
&&--& qtsx.exe
& && &[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
& && &[INFO]& && &The file was deleted!
Copyright & KaFan & All Rights Reserved.
Powered by Discuz! X3.1( 苏ICP备号 ) GMT+8,1, You can UPLOAD any files, but there is 20Mb limit per file. 2,
VirSCAN supports Rar/Zip decompression, but it must be less than 20 files. 3, VirSCAN can scan compressed files with password 'infected' or 'virus'.
Portuguese Brazil
Русский
укра?нська
Nederlands
Espa?ol (Latin America)
Server load
File information
File Name :
(File not down)
File Size :
75658 byte
File Type :
RAR archive data, v1d, os
Scanner results
Scanner results:<font color="#%Scanner(s) (29/37)found malware!
Time: <font color="#11-02-28 13:58:03 (CST)
Engine Ver
Scan result
7.11.3.241
Found nothing
Authentium
271.1.1/3472
Bitdefender
Found nothing
5.0.2.3300
7.02.73807
Found nothing
Found nothing
T3.1.32.15.0
Kingsoft_av
9.200-1012
23.46.05.03
Found nothing
3.9.2474.2
Found nothing
Found nothing
Virusbuster
13.6.225.2/4586195
Found nothing
File upload
Please not close this windows,
If you do not have to upload response time, make sure you upload files less than 20M
You can view the results of the last scan or rescan正在加载中...
蠕虫病毒是一种常见的计算机病毒。它是利用网络进行复制和传播，传染途径是通过网络和电子邮件。最初的蠕虫病毒定义是因为在DOS环境下，病毒发作时会在屏幕上出现一条类似虫子的东西，胡乱吞吃屏幕上的字母并将其改形。蠕虫...
&&&&&&&&&&&&&&&
蠕虫病毒Win32.WombleFamily是一族发送大量邮件的蠕虫，可能是一个可运行程序，也可能是一个Windows Media文件，攻击MS06-0...
Win32/Womble.C是一种发送大量邮件的蠕虫，可能是一个可运行程序，也可能是一个Windows Media文件，攻击MS06-001漏洞。病毒还...
Win32/Duiskbot.AJ是一种IRC控制的蠕虫，通过攻击Server Service中的一个漏洞进行传播。它还可能发送一个包含蠕虫下载链接的即...
蠕虫病毒Win32.Duiskbot.AF是一种IRC控制的蠕虫，通过攻击Server Service中的一个漏洞进行传播。它还可能发送一个包含蠕虫下载...
Win32/Womble.B是一种发送大量邮件的蠕虫，可能是一个可运行程序，也可能是一个Windows Media文件，攻击MS06-001漏洞。病毒还...
日，互联网上出现一种新型高危蠕虫病毒——“2003蠕虫王”(Worm.NetKiller2003)，其危害远远超过曾经肆虐一时的红色代...
搜到相关结果3815个1, You can UPLOAD any files, but there is 20Mb limit per file. 2,
VirSCAN supports Rar/Zip decompression, but it must be less than 20 files. 3, VirSCAN can scan compressed files with password 'infected' or 'virus'.
Portuguese Brazil
Русский
укра?нська
Nederlands
Espa?ol (Latin America)
Server load
File information
File Name :
(File not down)
File Size :
1737253 byte
File Type :
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Scanner results
Scanner results:<font color="#%Scanner(s) (32/36)found malware!
Time: <font color="#10-09-09 08:15:43 (CST)
Engine Ver
Scan result
7.10.11.112
Found nothing
Found nothing
Authentium
271.1.1/3123
Bitdefender
5.0.2.3300
7.02.73807
21.805/21.315
Found nothing
Kingsoft_av
Found nothing
9.120-1004
22.64.02.04
3.9.2442.2
Virusbuster
10.127.76/2024030
File upload
Please not close this windows,
If you do not have to upload response time, make sure you upload files less than 20M
You can view the results of the last scan or rescan