DropFileName = “svchost.exe” problem solution
Here’s what happened. A friend sent me the source code and asked me to take a look. I accidentally clicked on an exe file inside, and a network request popped up. I quickly closed it, and then I discovered that there was an exe executable file disguised as the system music folder in the same directory. I felt something was wrong, but I couldn’t be sure. Then when I deleted the entire folder, it prompted a message that a program was in use.
I left it alone for the time being. Over the next two or three hours, I found that the computer’s response speed became slower and slower, and the physical memory increased. Just restart the computer.
After that, I wanted to write code and opened an html file. I discovered something big. All the html on the computer had problems (as shown in the picture below). Now it is confirmed that I am indeed infected with the virus.
Then I immediately downloaded 360 again without stopping, and conducted a complete scan of the computer (don’t ask me why I downloaded 360). A computer that has been running naked for a long time will inevitably have one or two attacks.
After a single test, I found that 360 will only delete the virus code, not the file, but the commented out part of the code at the bottom will not be deleted. In the end, I have to process it manually. Although it is not a big problem if I don’t process it, it is obsessive-compulsive disorder and hard work (╯▽╰)
Code principle (function):
This string of script code is a string of VBS language viruses. After being infected by the virus, you will find that all your local HTML documents will have such a string of characters when they are opened. Not only HTML documents, but also DLL documents will be infected. Of course, don’t be too alarmed by this virus, because it only destroys files and will not cause upload privacy, account theft or other harm.
The general meaning of this string of code is to find the process svchost.exe and then inject data to run. What is injected is the following hexadecimal code to run. The difference between this virus and other viruses is that this vbs virus has a very strong infection ability. Once the html file is infected, the user only needs to open the html document virus and run the above modified code, causing the virus to directly infect all html files and dll files on the local computer.
Indeed, DLL files can also be infected, causing some software to be used normally, but anti-virus software will report viruses. And you will find that when you run many commonly used software, viruses will be reported. For example, some commonly used software such as Xunlei and Kugou that were commonly used in the past will actually prompt that they have viruses when you open them again. At that time, I felt very strange. How could Xunlei download it from the official website and report viruses? So the reason here is that the vbs virus has infected the dll in the installation file of software such as Thunder, so the anti-virus software will constantly report the virus, and the name of the reported virus is also the vbs script virus.
Tip: The pictures in this article have been abducted by aliens