Analysis of various malicious web page countermeasures—All strategies for using the registry
The Internet uses vulnerabilities such as IE to allow you to browse the web to make your computer unrecognizable, or even middle-aged and middle-aged *s to spread viruses. Moreover, this form of spread is becoming more and more intense, so I have less gossip. Now let’s analyze all kinds of malicious web pages.
Before analysis, let’s introduce the method of modifying the registry, because the registry is the center of the web virus, which is to make your computer look beyond recognition.
The first method: direct modification method
It is to type regedit in the run and then edit it. This is how everyone usually modifys the registry.
The second method: reg package import method
Now take unlocking the registry as an example (in fact, using tools such as rabbit to unlock are better and more convenient. Here is just an explanation of how to create a reg package)
For WIN 9x/ME/NT 4.0, save the following content as *.reg file in Notepad and import it
REGEDIT4
; This must be empty, otherwise the modification will fail
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
For WIN 2000 or XP, just change REGEDIT4 to Windows Registry Editor Version 5.00
The third method: inf installation method
For 98/ME, save the following content as a .inf suffix file, right-click to select Install to the file
[version]
signature="$CHICAGO$"
[DEFAULTINSTALL]
ADDREG=
DELREG=
[]
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\system
[]
HKCU,Software\Microsoft\Windows\CurrentVersion\Policies\system
If it is 2000 or XP, modify CHICAGO to Windows NT
As for other modification formats, I won’t say much here. You can find information by yourself. If you really don’t know how to create other inf packages, please contact me :)
The fourth method: vbs script method
Save the following content as a .vbs suffix file
Dim unlock
Set unlock = ("")
"The registry will be untie for you"
"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",0,"REG_DWORD"
The fifth method: Haha, it is a method to cure the person's body through the way of others. I will not introduce it here
As for editing the registry under DOS, I won't give any examples here
Please remember to back up the registry before modifying it! ! Remember! !
Once you know the method, let’s analyze various malicious websites and their countermeasures now
Malicious websites can be roughly divided into the following categories:
1. Use IE text vulnerabilities to modify the behavior of registry through edited scripts.
1. Mildly modify the registry: such as title blocking, default homepage, search page, add ads, etc. Let's first look at one of the original codes
//("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); Malicious web pages modify the registry through this ID.
//("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun", 01, "REG_BINARY"); This code can make your run menu disappear.
Cleaning method:
This article does not provide general solutions for modified browsers, because there are many articles on how to recover by repairing the registry on the Internet. You can find it yourself.
I think this type of modification can generally be repaired through the registry repair tool, without having to modify it manually.
Common tools include: Super Rabbit Magic, Optimization Master, 3721 Magic Gem, IE repairer brought by the Anti-Virus King, etc.
Rising's registry repair tool: /newSite/Channels/anti_virus/Antivirus_Base/TopicExplorerPagePackage/spite
Antivirus's registry repair tool: /download/other/tool_011027_RegSolve.htm
Recommend a good online repair site:
Patch: WINDOWS 2000: /china/windows2000/
WINDOWS 9X user: /downloads/?ReleaseID=32558
2. Modifying the registry prohibits the modification of the command form, with the purpose of not allowing users to repair it through the registry.
The most common modification is to lock the registry and destroy the association: such as .reg, .vbs, .inf, etc.
Regarding unlocking the registry, we have introduced the method before. As for the modified association, as long as the association in the registry modification method I mentioned earlier can still be used, you can use any of them. But if .reg, .vbs, and .inf are all modified, what should I do? , don’t be afraid. Change the .exe suffix to the .com suffix, so I can also edit the registry, and .com has also been changed. What should I do? Not that ruthless, OK, I'll change the suffix to .scr. Hehe, it can be modified.
The best and easiest way is to restart immediately, press F8 to enter DOS, type SCANREG/RESTORE, and select the registry of the previous normal time. Just restore it. Be careful, be sure to select the registry that has not been modified! If you find that even scanreg has been deleted (some websites are so cruel, just use A disk COPY to COMMAN
It is necessary to talk about the default values of common file associations here
The normal exe association is [HKEY_CLASSES_ROOT\exefile\shell\open\command]
The default key value is: "%1 %*" Change this association back to use the exe file
3. After modifying the registry, leave a backdoor, so that you can modify the registry as if it was successful, and then restore it to the modified state after restarting.
This is mainly because there is a backdoor in the startup item, and you can open the registry to (you can also use some tools such as optimization masters to view it)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersionRun-
See if there are any suspicious startup projects. This is the most common thing that friends ignore. Which startups are suspicious?
Here I will give you a few things you need to pay attention to. If the key values in the startup item have suffixes, it is best to remove them, and the startup items with .vbs suffixes are also removed. Another very important thing is that if there is this startup item, there are similar key values, such as:
The system key value is regedit -s c:\windows... Please note that this regedit -s is a backdoor parameter of the registry and is used to import the registry. Such options must be removed
There is another type of modification that will generate .vbs suffix files in c:\windows\ or .dll files. In fact, .dll files are actually .reg files.
At this time, you need to look at the c:\windows\ file, look at load=, run=, these two options should be empty afterwards. If there are other programs, modify load=, run=, and delete the subsequent program. Before deletion, look at the path and file name. After deletion, delete the corresponding file under the system.
There is another method. If you modify and restart and restore it repeatedly, you can search for all .vbs files on the C drive. There may be hidden ones. Open them with Notepad. If you see that there are any changes to the registry, delete them or change the suffix to the safest. You can search for files based on the time of the virus on the malicious web page:)
The following vulnerability is very worth noting. Many friends said that I have tried all the methods you mentioned. There is absolutely nothing suspicious in the startup item, and there is no vbs file. Haha, there is another trap when you start IE, that is, the advertisements in the menu of the IE main interface tool. You must remove them, because these will start when you start IE, so after modifying the others, don’t rush to open the IE window, otherwise it will be useless. Method: Open the registry HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions Delete the advertisement when you see it, don’t show mercy.
A very important question is that after being trapped in a malicious web page, you must first clear all temporary files in IE. Remember!
After saying so much nonsense, how can you defend against such malicious web pages?
A one-time and for all method, delete the ID F935DC22-1CF0-11D0-ADB9-00C04FD58A0B
The path in the registry is HKEY_CLASSES_ROOT\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
Remember, delete it after seeing it clearly, and never delete the wrong others. Delete this F935DC22-1CF0-11D0-ADB9-00C04FD58A0B and will not affect the system.
Select "Tools" → "Internet Options" in the menu bar of IE, switch to the "Security" tab in the pop-up dialog box, select "Internet" and click the "Custom Level" button. In the "Security Settings" dialog box, select "Disable" or "Prompt" all the relevant options in "ActiveX Controls and Plugins" and "Scripts". However, if "Disable" is selected, some websites that use ActiveX and scripts normally may not be fully displayed. Recommended selection: Tip. When you encounter a warning, look at the original code of the website. If you find that there are codes that are waiting for you, don’t go. If it is an encrypted original code, don’t go to the website you are familiar with. If you can’t even use the right click, be careful (see what the original code is like, unless there is any good JAVA or malicious code)
For Windows98 users, please open C:\WINDOWS\JAVA\Packages\ and delete the "delete". For WindowsMe users, please open C:\WINDOWS\JAVA\Packages\ and delete the "" in it. These deletions will not affect normal browsing of web pages
In Windows 2000/XP, some malicious scripts can be blocked by disabling the "Remote Registry Service". The specific method is: right-click "Remote Registry Service" in "Control Panel" → "Administrative Tools" → "Services", select "Properties" in the pop-up menu, open the properties dialog box, and set "Startup ype" to "Disabled" in "General". This can also intercept some malicious script programs.
Hehe, don't use IE. You can also use other browsers...
After you are trapped in a malicious web page, don’t restart the computer immediately. Go to the startup item to see if there are any dangerous startup items, which is not as good as deltree or something.
2. Use IE vulnerabilities to directly destroy Windows system
Nowadays, using browsing web pages to format hard drives is no longer new. When one day, when you are online, you suddenly pop up and warn that the current page contains an unsafe page. If you choose "Yes", the hard drive is probably formatted.
Check out some of its original code:
//wsh(……)
To defend against this type of web page, you can use the following methods:
Delete the ID F935DC22-1CF0-11D0-ADB9-00C04FD58A0B, because this ID can be used to generate command formats, and can execute the executable file of the hard disk, and the specific path
HKEY_CLASSES_ROOT\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B} Remind again, don't delete the wrong ones.
It is recommended that everyone change the GUN command, for example, after using the Optimization Master, it is changed to GUN.
Changing the name under C drive WINDOWS is also a way to do it.
You can also uninstall WSH:
98/ME: Enter the "Control Panel", select "Add/Remove Programs", select "Windows Installer", select "Accessories", and then select Windows Scripting Host in "Detailed Information" to confirm uninstallation.
The way to disable WSH in Windows 2000 is to double-click the "My Computer" icon, and then execute the "Tools/Folder Options" command, select
File Types tab, find the "VBS VBScript Script File" option, and click the [Delete] button, and finally click [OK].
Or upgrade WSH to WSH 5.6
The IE browser can be modified by malicious scripts because WSH in IE 5.5 and previous versions allow attackers to use Getobject functions and htmlfilr Activex objects in JavaScript to read the browser's registry. Microsoft's latest Microsoft Windows Script 5.6 has fixed this issue.
WSH 5.6 For Win9x/NT official download:
WSH 5.6 For Win2000 official download: /devonly/
3. Security vulnerability issues
Now, files can be generated on the hard disk through the registry, and the registry can be read
Viruses can be spread by using IE vulnerabilities. Current web browsing can be infected with script viruses such as new happy hour. Many of them are invaded through IE vulnerabilities. There are also current problems with *s on web pages. In fact, IE's MIME header error vulnerabilities are used to allow users to automatically run * programs. This type of program is easy to make and is easy to spread. Countermeasures for this type of MIME header error: patch or upgrade /windows/ie/download/critical/Q290108/
1. Take a look at a vulnerability in IE 5.0: you can write a wrong HTML code to make your IE deactivate, and the code will be inconvenient to post here.
Let’s take a look at this ID: 0D43FE01-F093-11CF-8940-00A0C9054228 is used to generate files.
2. IE now has an IFRME vulnerability. This vulnerability allows IE to automatically execute .exe files after browsing pages.
Defense Countermeasures: It is best to upgrade IE to SP2" or install PATCH Q290108 (thanks to Piaopiao Banzhu for pointing out the error here). If you really don’t want to use higher versions of IE and are afraid of taking up a lot of resources, you must remember to put the patch on it. Because many viruses currently use this vulnerability of IE and OE for spreading, Love Forest Virus is one of them.
Also delete HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} This ID is
3. In IE6 (build 2600), a piece of javascript script code can be used to make IE deny service. In 98, it can cause IE to not respond. When trying to terminate the task, it will cause the operating system to crash. In 2000, it can cause 50% of the CPU to be used for a long time. After that, the browser will ask whether to use it.
Defense strategy: ban JAVA and scripts. It is recommended to upgrade IE or patch (it seems that it won’t work without patching)
4. Frame (Frame) vulnerabilities in IE, IE 5.01, 5.5.6.0, are all affected. This vulnerability can reveal user information.
Countermeasure: Patch: /Windowsupdate
/technet/security/bulletin/
Obtaining control permissions This type of malicious man will use IE to execute Actives. Although IE provides the function of prompting "download signed ActiveX controls", the malicious attack code will bypass IE and download and execute ActiveX control programs without prompting. At this time, the malicious attacker will obtain control permissions on the system. If you want to block such black hands, you can open the Registry Editor and expand the following branches:
The solution is to create a new key value based on CLSID for Active Setup controls under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\ for Active Setup controls, and then create a REG_DWORD type key Compatibility under the new key value, and set the key value to 0x00000400.
4 Boring malicious web pages
This type of web page uses the writing of javascript code, such as popping up countless windows that can only cause CPU resources to run out and restart. To be honest, the web page monitoring of domestic antivirus software cannot intercept such malicious web pages at all (I haven't tried it abroad)
This type of web page is not difficult to write, it is all achieved by writing some vicious circles.
Defense method: Disable JAVA. Upgrade IE to higher version
Also, use the vulnerability of WIN98 to prevent you from being disconnected or crashed. Defensive measures and patch 98 desperately (don’t use 98, 2000 is stable)
When you are online, remember to turn on web monitoring or registry monitoring. Now the success rate of domestic antivirus software intercepts the behavior of writing to the registry is good.
Through the above analysis, we can see a very important issue: you must patch your system frequently. Microsoft usually releases patches, and new virus codes will soon be attacked, so remember to patch them frequently!
(Source: Hot Network)