Before using, please disconnect the network first, delete the system directory and..., and use IceSword to delete the dynamic libraries in the temporary directory. When there is no process in the task manager, the recovery program can be run.
Special attention: During the run, do not run other programs. It is possible that the program you run is poisonous! !
[b]2: The following are the analysis and manual cleaning methods:
I came back from working overtime yesterday afternoon and found that Pengpin's behavior was quite strange. After looking at the task manager, there are several Ie processes and several Notepad processes that are somewhat suspicious. Then I looked at the registry and added the startup key:, under the Windows system directory. Alas, I don’t use antivirus software. Generally, if I get hit, I just kill it. However, this * is very annoying and obviously affects the use. It is incredible that * programs are so rustic. Users all know that there is any interference, so why don’t you get a *? I don't know what the author thinks~~
Since it is so annoying, IDA will serve you. I'm analyzing version 1.0.6, the program logic is relatively simple, let's see what he does~~
1. At the beginning, create a startup item in the registry: System Boot Check, adjust to Debug permissions, and then create a process and a process.
2. Of course, we need to inject the code into the remote process~~, the author's injection method is relatively simple. When designing, I changed my loading address. I didn't use 0x400000, but used a very unusual address (0x13150000). I guess I used notepad and iexplore to test it, so I can confirm that the address will not be occupied. Then, based on the PE information, take out the required space size (0x7000), allocate the space from iexplore and notepad, and finally copy the entire program, and all of them will be eliminated if the address is corrected. Finally, of course, it is the favorite function of *s. CreateRemoteThread.
3. Well, after finishing work, there is nothing to do. Next is iexplore and notepad to show off their skills~.
4. First of all, iexplore works, notepad also has an important task at this time. It needs to check whether it is an ontology or an infected body. If it is an infected person, you need to release the pre-infection program to work so that it will not be discovered by the user. Then the thread waits for notification (Named Event: MySignal). What is iexplore doing at this time? Let's continue to watch.
(The name is so long, it's better to call it IE later~) First create a named Mutex:MyDownload and tell the brothers who came later: I'm here, you all have a rest~. Then create MySignal Event and set it to the signalless state. Next, IE's task is to take down the latest configuration information of the virus file and update the local virus version according to the new configuration information. First, download the configuration file from http://a./, and the name saved locally is called.
The format and comments of the configuration file are as follows:
Code:
[config]
Version=1.0.6
NUM=7 ; Here we point out how many tasks are there (up to 20). Each task takes down the file. The local name is the exe of the same name.
1=/Article/UploadFiles/200704/
2=/Article/UploadFiles/200704/
3=/Article/UploadFiles/200704/
4=/Article/UploadFiles/200704/
5=/Article/UploadFiles/200704/
6=/Article/UploadFiles/200704/
7=/Article/UploadFiles/200704/
UpdateMe=http://a./;Update itself
Tongji=/test/ ;Alas, statistics, the author thinks this thing is so NB? I need to count it. . . .
hos=/Article/UploadFiles/200704/ ;
It's very outstanding here! The author has carefully collected a lot of names of rogue websites. When we plant * horses, we will give them to me.
We blocked these websites as well. All are recorded in the hosts file and parsed in the local area! Although it is not clear that the author's original intention is to attack competitors (other *s, hehe~) or to really serve the people, no matter what, praise the author~~! ! Although the * is killed, I will continue to use this function. I guess the author will update it~haha~~
Okay, after the task is completed, IE students will take a break~~
Fantasy debut.
This bad guy didn't do good things as soon as he came up~, from Z disk to A disk, one by one, and infect other files without missing a single one, including EXE, ASP, ASPX, HTML, PHP, well, that seems to be all. This is what makes me hate very much.
A. The process of infection of EXE is as follows (don’t watch it and do bad things!):
First of all, it is still traversing all files. After finding an EXE, check whether its last 4 bytes are 0x12345678. If so, then this is the brother, the next one.
What should I do after finding someone who was not infected? Of course, it's just infecting Hira~~hahaha~~~. Pay attention, it’s very important here: copying a copy is called, why is it icon? Don't worry, you'll see the reason right away. After tempicon is available, take out the icon resources of the target program and insert it into tempicon. In this way, tempicon looks like the target~. The next step is to save the target program, so you have it. This file is to copy a copy of tempicon and then place the target program immediately behind. Finally, 8 of your own identification information are added. The first four bytes indicate the length of the * itself, and the last four bytes are 0x12345678 mentioned earlier;
The processing of related files is similar. The temporary file is temphtml~, and a rogue javascript file is inserted in the middle:
After infecting the complete hard disk, there was no USB flash drive scan in less than 50 seconds, and the disk was hung on. Once it is hung up, generate one in the root directory and copy a copy of the past, which is relatively simple.
Oh, it seems that I checked that the partition where the system directory is located did not traverse.
Well, finish the work!
This is the basic process~. To restore, just write a small program, traverse the exe in the hard disk, and use the end of the file to indicate the length of Sysload_Stub, and determine whether it is a poisonous file based on whether the last 4 bytes is 0x12345678). As for other libraries such as,,,,,,,,,,,,,,,,,,,,,, uninstall it from the Explorer process using IceSword, and then delete it!
Overall, the idea of adding a configuration file to the * is quite good. If you develop a new *, let them download it~haha. However, when I saw the author using CreatFile many times, I always judged that the return value was 0. It is strange~ Isn't it INVALID_HANDLE_VALUE??? It should be possible to rule out the possibility that the author does not know. In the usage of FindFirstFile, the author used INVALID_HANDLE_VALUE to compare. I have read little, so if anyone knows, please leave a message to tell me, thank you~~.
The analysis process is quite troublesome, alas~ Fortunately, the author gave the * horse and did not forget to give him a joke: I will by one BMW this year! If the author can get BMW by this, then will our mood be much more pleasant?~hehe~~
Special killing tools
Special attention: During the run, do not run other programs. It is possible that the program you run is poisonous! !
[b]2: The following are the analysis and manual cleaning methods:
I came back from working overtime yesterday afternoon and found that Pengpin's behavior was quite strange. After looking at the task manager, there are several Ie processes and several Notepad processes that are somewhat suspicious. Then I looked at the registry and added the startup key:, under the Windows system directory. Alas, I don’t use antivirus software. Generally, if I get hit, I just kill it. However, this * is very annoying and obviously affects the use. It is incredible that * programs are so rustic. Users all know that there is any interference, so why don’t you get a *? I don't know what the author thinks~~
Since it is so annoying, IDA will serve you. I'm analyzing version 1.0.6, the program logic is relatively simple, let's see what he does~~
1. At the beginning, create a startup item in the registry: System Boot Check, adjust to Debug permissions, and then create a process and a process.
2. Of course, we need to inject the code into the remote process~~, the author's injection method is relatively simple. When designing, I changed my loading address. I didn't use 0x400000, but used a very unusual address (0x13150000). I guess I used notepad and iexplore to test it, so I can confirm that the address will not be occupied. Then, based on the PE information, take out the required space size (0x7000), allocate the space from iexplore and notepad, and finally copy the entire program, and all of them will be eliminated if the address is corrected. Finally, of course, it is the favorite function of *s. CreateRemoteThread.
3. Well, after finishing work, there is nothing to do. Next is iexplore and notepad to show off their skills~.
4. First of all, iexplore works, notepad also has an important task at this time. It needs to check whether it is an ontology or an infected body. If it is an infected person, you need to release the pre-infection program to work so that it will not be discovered by the user. Then the thread waits for notification (Named Event: MySignal). What is iexplore doing at this time? Let's continue to watch.
(The name is so long, it's better to call it IE later~) First create a named Mutex:MyDownload and tell the brothers who came later: I'm here, you all have a rest~. Then create MySignal Event and set it to the signalless state. Next, IE's task is to take down the latest configuration information of the virus file and update the local virus version according to the new configuration information. First, download the configuration file from http://a./, and the name saved locally is called.
The format and comments of the configuration file are as follows:
Code:
[config]
Version=1.0.6
NUM=7 ; Here we point out how many tasks are there (up to 20). Each task takes down the file. The local name is the exe of the same name.
1=/Article/UploadFiles/200704/
2=/Article/UploadFiles/200704/
3=/Article/UploadFiles/200704/
4=/Article/UploadFiles/200704/
5=/Article/UploadFiles/200704/
6=/Article/UploadFiles/200704/
7=/Article/UploadFiles/200704/
UpdateMe=http://a./;Update itself
Tongji=/test/ ;Alas, statistics, the author thinks this thing is so NB? I need to count it. . . .
hos=/Article/UploadFiles/200704/ ;
It's very outstanding here! The author has carefully collected a lot of names of rogue websites. When we plant * horses, we will give them to me.
We blocked these websites as well. All are recorded in the hosts file and parsed in the local area! Although it is not clear that the author's original intention is to attack competitors (other *s, hehe~) or to really serve the people, no matter what, praise the author~~! ! Although the * is killed, I will continue to use this function. I guess the author will update it~haha~~
Okay, after the task is completed, IE students will take a break~~
Fantasy debut.
This bad guy didn't do good things as soon as he came up~, from Z disk to A disk, one by one, and infect other files without missing a single one, including EXE, ASP, ASPX, HTML, PHP, well, that seems to be all. This is what makes me hate very much.
A. The process of infection of EXE is as follows (don’t watch it and do bad things!):
First of all, it is still traversing all files. After finding an EXE, check whether its last 4 bytes are 0x12345678. If so, then this is the brother, the next one.
What should I do after finding someone who was not infected? Of course, it's just infecting Hira~~hahaha~~~. Pay attention, it’s very important here: copying a copy is called, why is it icon? Don't worry, you'll see the reason right away. After tempicon is available, take out the icon resources of the target program and insert it into tempicon. In this way, tempicon looks like the target~. The next step is to save the target program, so you have it. This file is to copy a copy of tempicon and then place the target program immediately behind. Finally, 8 of your own identification information are added. The first four bytes indicate the length of the * itself, and the last four bytes are 0x12345678 mentioned earlier;
The processing of related files is similar. The temporary file is temphtml~, and a rogue javascript file is inserted in the middle:
After infecting the complete hard disk, there was no USB flash drive scan in less than 50 seconds, and the disk was hung on. Once it is hung up, generate one in the root directory and copy a copy of the past, which is relatively simple.
Oh, it seems that I checked that the partition where the system directory is located did not traverse.
Well, finish the work!
This is the basic process~. To restore, just write a small program, traverse the exe in the hard disk, and use the end of the file to indicate the length of Sysload_Stub, and determine whether it is a poisonous file based on whether the last 4 bytes is 0x12345678). As for other libraries such as,,,,,,,,,,,,,,,,,,,,,, uninstall it from the Explorer process using IceSword, and then delete it!
Overall, the idea of adding a configuration file to the * is quite good. If you develop a new *, let them download it~haha. However, when I saw the author using CreatFile many times, I always judged that the return value was 0. It is strange~ Isn't it INVALID_HANDLE_VALUE??? It should be possible to rule out the possibility that the author does not know. In the usage of FindFirstFile, the author used INVALID_HANDLE_VALUE to compare. I have read little, so if anyone knows, please leave a message to tell me, thank you~~.
The analysis process is quite troublesome, alas~ Fortunately, the author gave the * horse and did not forget to give him a joke: I will by one BMW this year! If the author can get BMW by this, then will our mood be much more pleasant?~hehe~~
Special killing tools