Author: Tianyuan, qq: 354887 reproduced, please indicate
Recently, I received the internal network user to report, when I arrived at some sites, I was prompted to install a plugin called 3721 Chinese real name. Some users in the case of unknowingly "install" option, causing the virus to remain in. It is difficult to kill on the hard disk. Although the Tianyuan is a network administrator, it is indeed a lot of use of the Windows operating system. It has never used this plug-in named 3721, but it is anxious to be anxious, so promise. After several efforts, I finally got it down.
The following is killing the virus experience and a viral solution.
The Tianyuan uses a WindowsXP machine, access the site provided by the user, downloads and executes the plugin. The plugin is Chinese, and then restart the machine after installing the machine and takes effect with the uninstall. Through the contrast observation before and after installation / uninstallation, its residentity, self-protection and a large amount of loss of system performance, let the Tianyuan determine that the plugin is indeed a virus!
Virus episode:
Automatically redirect the browser's "Search" function to a website called www.3721.com, which is the Chinese station and cannot be modified;
Forced to add "Scenario Chat", "Internet Acceleration" and other icons;
Constantly refresh the registry related key value to achieve successful residence and a large amount of consumption of user host resources;
Each time it is loaded, and the process protection function is brought, it is difficult to kill under normal Windows.
5. With an automatic upgrade function, the virus will be upgraded in the background of the virus.
Virus itself:
Self-band unloading function; the virus provides a uninstall program for the purpose of hiding its own purpose, paralyzing the plugin user. However, according to the use of Tianyuan, it has been found that after uninstallation, the virus program still resides, still loads, still monitoring, rewriting the registry;
Using a network upgrade method; the virus is used to prevent users and anti-virus software, take a regular online upgrade, this is similar to the recent other Windows mainstream virus, but it is worth mentioning that the virus has public viral upgrade sites Www.3721.com, and the site style is like the portal, the service site, with great spoofing;
Loaded in the drive mode; this feature can be said to be a technique leap in the virus since the recent period. The driving mode is loaded with hook HOOK, and it is extremely difficult to kill under Windows (after detailed technical discussion);
Provides searching for searching services for keyword queries for entering Chinese after entering Chinese in the browser address bar. The impact of the Subsourcing Socar virus also automatically connects the user after infection with the user machine to download the patch, it seems that the new virus is increasingly liked to provide some alternative features;
Passive way to spread: Use some sites to spread, rather than actively infecting other machines, which is similar to the current popular "beauty pictures" virus. From the initiative to passively, it can be said to be a new characteristic of some viruses this year;
Virus detailed analysis:
When the user visits the site, pop up a control download window prompting the user to download and install, the surface is called yourself to provide Chinese real name services, and attract users to install;
Modify user files and registry during the installation process;
add files:
Add from Documents and Settings / All Users / "Start" menu / program / network real name / directory
Understand the network real name details .ur 126 bytes
Clean up the Internet record .ur 100 bytes
Internet access assistant .ur1 99 bytes
Uninstall network real name .Lnk 1,373 bytes
Repair browser .ur1 103 bytes
Add assis.ico 5,734 bytes under Windows / Downloaded Program Files /
CNS02.DAT 1,652 bytes
Cnshook.dll 56,320 bytes
CNSMIN.CAB 116, 520 bytes
CNSMIN.DLL 179,712 bytes
CNSMIN.INF 378 bytes
SMS.ico "6,526 bytes
Yahoomsg.ico 5,734 bytes
Add from Windows / System32 / Drivers / Directory
CNSMinkp.sys
Add registry key value:
Add HKEY_LOCAL_MACHINE / SOFTWARE / 3721 primary key, set up a multi-child key and attribute value;
Added under the hkey_local_machine / software / classes / clsid primary key
{B83FC273-3522-4CC6-92EC-75CC86678DA4}
{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
Two sub-keys
3. Increasing under hkey_local_machine / software / classes / primary key
CNSHELPER.CH
CNSHELPER.CH.1
CNSMINHK.CNSHOOK
CNSMINHK.CNSHOK.1
Four sub-keys
4. Increase under hkey_local_machine / software / key / classes / interface / key
{1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1} subkey
5. In addition to hkey_local_machine / software / classes / typelib / primary key
{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}
{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}
Increasing under HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / AdvanceDOptions / primary key
CNS subkey
Increase in hkey_local_machine / software / microsoft / internet explorer / extensions / primary key
{00000000-0000-0001-0001-596BAEDD1289}
{0F7DE07D-BD74-4991-9D5F-ECBB8391875D}
{5D73EE86-05F1-49ED-B850-E423120EC338}
{ECF2E268-F28C-48D2-9AB7-8F69C11ccb71}
{FD00D911-7529-4084-9946-a29f1bdf4fe5} five sub-keys
Increasing under HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / Primary key
CustomizeSearch
Ocustomizesearch
Searchassistant
OSEARCHASSISTANT four sub-keys
Increasing under hkey_local_machine / software / microsoft / windows / currentversion / explorer / shellexecuteHooks / primary key
{D157330A-9EF3-49F8-9A67-4141AC41ADD4} subkey
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RUN / Under
CNSMIN keys
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RunOnce / Under
EK_ENTRY subkey (prompt, this button will take effect when the machine is started, and the most distressed part is generated, and the following will be described)
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Uninstall Add CNSMIN
HKEY_CURRENT_USER / SOFTWARE / Under
3721 child
HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Main / Under
CnsautoupDate
CNSenable
CNSHINT
CNSList
CNSMenu
CNSReset
After restarting the computer, the EK_ENTRY under the RunOnce mentioned above takes effect, generates the most evil CNSMinkp key value in the registry, and generates a cnsminkp.sys file in the Windows / System32 / Drivers directory of the system disk, nightmare This start.
Since Win2K / XP is started (including security mode), all drivers below Windows / System32 / Drivers are automatically run, so CNSMinkp.sys is loaded, and one of this driver is to ensure Windows / Downloaded Program Files. CNSHOK.DLL and CNSMIN.DLL under the directory and it is not deleted; CNSHOOK.DLL's role is to provide Chinese real name features, and the cnsmin.dll role is to reside in the IE process. In order to ensure the highest priority, CNSMin uses a timer function to repeatedly install the hook, thus causing system performance, on the machine of the Tianyuan test, the performance is about 20%. And because hook forced to hook, when the user uses a breakpoint debugger, it will cause frequent errors, which causes Winzip operation and unable to shut down. (For detailed technical details, see the topic " [Reprinted] 3721 Reporting Mechanism Simple Research "One article, address is
http://www.nsfocus.net/index.php?act=sec_doc&do=view&doc_id=894 Original author Quafful @ 水木 清华)
Defense and deletion characteristics:
Although the virus comes with a so-called "uninstaller", but the program / registry key value of the core part is still not deleted. Moreover, the virus uses various technical means with extremely powerful anti-deletion characteristics.
Windows system boots (including security mode) will load CNSMinkp.sys under Windows / System32 / Drivers, which filter the driver to filter the deletion of itself and related important files and registry. Whenever you try to delete the critical file of 3721 and the registry key, return a true, so that Windows thinks deletion has been successful, but the files and registry are actually there.
Technical highlights:
The Tianyuan has to admit that 3721 This viral plug-in can be called the most difficult virus facing by the NMS. In recent years, the virus has several major breakthroughs: CiH infection can be upgraded BIOS, red code opens Windows sharing expansion results, Meliza let us know what is to see the virus of the source program, MSSQLSERVER worm let us pay attention to computer viruses The attack is not only the node and network equipment, and the shock wave virus let us realize the terrible, beautiful picture virus when there is a safe vulnerability when using the same operating system, let us know the power of combining the art and software vulnerability, and this The 3721 virus first shows the powerful anti-deletion characteristics of virus, which can be said to be a virus that cannot be killed in a Windows environment. Although this is a one-quality virus, there is no damage to the system, but according to the history of viruses, it is foreseen that this kind of perfect anti-deletion technology will soon be utilized by other viruses and will soon be utilized by other viruses. A virus that combines network infection with powerful anti-deletion functions may have the largest test of anti-virus software under the Windows platform. And this experience, also let me realize that Microsoft's Windows operating system is humanized, beautiful, and fools behind the crisis. As an IT peer, I personally expressed admiration for all the techniques used by the 3721 virus authors, but the Pandora's magic box of the new virus has been opened: in the history of the current virus, only a few viruses have been used under Windows NT. The program under System32 / Drivers will be transmitted automatically, but those viruses themselves are not perfect, which will cause the Windows NT system frequent blue screen dead machine, like 3721 plug-in virus so perfectly load, reside other processes, only Consuming host resources, monitoring registry and key files do not lead to a virus that is wrong, and domestic and foreign countries are the first time, and the technologies are more mature than those viruses;
As the Tianyuan and everyone have explored how the SP2-above Patch's Win2K is downloaded to download the SP4 and install the patch like a ring set problem like this. Due to the CNSMinkp.sys boot started under the drivers directory, if you want to load it, only after Windows is started, the invoking table overwrite the corresponding CNSMinkp key value or delete the file, but because CNSMinkp.sys is filtered to itself Related Important Documents and Delete Operations for Registry. Whenever you try to delete the critical file of 3721 and the registry key, return a true, so that Windows thinks deletion has been successful, but the files and registry are actually there. Make the registry could not modify / files could not be deleted, so that our traditional killing viruses and Trojan's countermeasures were unable.
Residing IE processes, automatically upgraded, ensuring that the virus has extremely powerful vitality, wants to come to new killings, and the virus will immediately upgrade. Although there are other browsers such as Mozilla, in Windows, most users are generally installed with IE due to Microsoft's bundling strategies and compatibility. The Internet is used to find IE. When you find the 3721 information, I use IE. In this way, 3721 will upgrade itself to the latest version in front of the user to prevent the possibility of being killed, and add to the virus. Difficulty. Perhaps the virus will upgrade in the shortest time after it is issued.
With other "practical" features. The Tianyuan remembers that some viruses have encountered some viruses when they were in DOS. They automatically run a cute screen protected, or automatically clean up the functions such as the temporary folder; later in the Windows platform. Over the virus attack "Today is the XX Historical Examination" today, Today, XX Historical Outlook, "The 3721 virus is provided with a so-called Chinese domain name and English domain name. Features. With the development of viruses, this band-covered, fun and deceptive viruses will be more and more. For example, the nearest mail virus is sent to the name of Microsoft, or in the reply format starting in RE, the development of the virus is propagated from the original infection, the spread of vulnerabilities, and the back door communication will gradually transition to deception, more and more viruses The importance of social engineering is recognized. Perhaps in the near future, there will be a virus / Trojan with simple online game / P2P software. Polar deceptive: This plug-in can be used under Win98, but the use of its own uninstallation can be relatively perfectly uninstalled, while uninstalling the program under Win2K / XP platform is almost useless. It can be seen that the virus writer is extremely proficient in social engineering: When a person has a table, he knows time; and when he has two tables, there is no judgment time. When this virus cannot be deleted when this virus cannot be deleted, the Win98 users will indicate that there is no problem with any problem with any problem. The opposition of the two opinions affects the judgment of the bystanders.
The participation of business behavior. It is said that the virus is written by a company, in order to further promote its products, increase its visits and apply for users. At this point, the user is required to download the XX plug-in with some porn sites, and then make it easy to use the plugin pop-up window. The Tianyuan can't help but think of a dope. In the year, a company company staff (of course, it is also possible to be a staff member of the company), often calling a large-scale enterprise unit, and there is no other middle-text field name has been robbed by XX, if not paying money will Result in the XX consequences cloud cloud. Brotherhood seems to have experienced by this company: The company's employees call to a college network center. At first, it was recommended that it applied for Chinese domain names, and its director is very interested, but due to the price of the price. The second time, I became intimidation by persuasion, saying that the Chinese name has been registered by the XX private school. If the school does not pay the money, there will be a terrible consequences. Who wants to eat soft and not eat hard, return to: "You call you here, you also know that in China, XX University is a state recognition, and your company does not have any official proven In the case, I will open the private school for our school Chinese domain name. If you can see your irregularity, then if I privately pay the name of the NXX national leader, is it a personal site is also your company is also accepting? Similar to the company, we have a consistent practice we have to find a legal way to solve the legal way! "The answer is very wonderful. Of course, the consequences of this matter are not. It is not difficult to see from related reports, computer crimes gradually begin to facilitate economic fields. Viruses and business combining private computers in violation of private computers, is a change in virus writing by personal behavior to business behavior, and the history of viral development has opened a new chapter.
Virus killing program:
Since the number of columns in the network management is mainly "teaching people and fishing", the Tianyuan has written the virus to kill the process, and everyone discusses.
first round:
When I saw this virus, I felt this, the ordinary Trojan. According to the old rules, first delete the key value in the registry, then delete the virus file, then restart the machine, wait 10,000 things OK. At first glance, the registry is completely did not change, and the deleted file is also there.
Outcome: virus wins, Tianyuan defeated
The second round: changed a machine and uninstall help tool to facilitate monitoring of registry / file changes. My next is the Software of Ashampoo Uninstaller Suite, which can monitor the registry / file / important profile. OK, install the 3721 plugin again, record the change / file change / file of the registry. (It is worth noting that because the registry Run and Runon's key is taken in the next startup, after restarting, it is necessary to compare the change of the file / registry to obtain exact results). Then compare the record, all of the 3721 added, and the added file is also recorded. After that, I plan to start, delete files, and registry using security mode, so I wrote a save.reg file to delete the relevant key value in the registry (write the reg file in the network management note, the heroes, there is a introduction, wait At the end of the article, I provide that the REG file for your reference), wrote a save.bat to delete the relevant file, put it in the root directory of the C drive. Restart the machine and enter the security mode, I will import the registry with the regedit / s save.reg, and then delete the relevant file with Save.bat. Restart the machine, but found that the document still exists, the registry does not have successful modification. Usually the way Trojan / virus is completely invalid, which makes me produce the feeling of the enemy.
Outcome: virus wins, Tianyuan defeated
Third round:
Restart the machine, this time I use manual way to delete the file. Discover the problem - CNSHOKP.SYS in the System32 / Drivers directory, the cnshook.dll and cnsmin.dll under the Windows / Downloaded Program Files directory are "unable to delete". This may be a bit improper, accurately saying that there is no error report after deleting, but the file still exists. So I use Google to find a clue - I have found a article (name and url to see the previous article), so I understand that this is CNSMINKP.sys. So, as long as it does not load it, don't you load it? ? But I tried 2K and XP security mode to load the drive under System32 / Drivers, and if you want to cancel the loading, you need to modify the registry, but because the registration correlation value is modified after loading CNSMinkp.sys is invalid. Resulting in the loading of the program that cannot contain the program of CNSMinkp.sys. Of course, friends with floppy drives can use the floppy disk to delete the file, but if you use the macrower that is the same as the sky? Remember that the article on the Green Alliance is what is mentioned - "Call currently can't crack". In this step, the Tianyuan also tried various methods.
I tried to change the file name of these files, the result was not successful;
I tried to replace this file with a redirect, such as Dir *> cnsminkp.sys, and the result is unsuccessful;
I tried to overwrite these files in a way with the Copy CON
I don't think I don't seem to have a debug program under Win2K / XP, but may not be so complicated. After trying a few ways, I finally got the revelation: Since the file is not allowed, then what is the directory of my operation? I first copy a Windows / System32 / Drivers directory, named Drivers1, and delete it (note because it is DRIVERS1, so it can be successfully truly deleted);
Restart the machine to safe mode;
Use drivers1 directory to replace the original Drviers directory
CD windows / system
Ren Drivers Drivers2
Ren Drivers1 Drivers
After you will restart the machine, then remove the drivers2 directory and then get the residual file and clean up the registry. A REG file is provided here for you to delete the registry:
Windows Registry Editor Version 5.00 (change this line with 98 to regeidt4)
[-HKEY_LOCAL_MACHINE / SOFTWARE / 3721]
[-HKEY_LOCAL_MACHINE / SOFTWARE / CLASS / CLSID / {B83FC273-3522-4CC6-92EC-75CC86678DA4}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / CLASS / CLSID / {D157330A-9EF3-49F8-9A67-4141AC41ADD4}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / CLASS / CNSHELPER.CH]
[-HKEY_LOCAL_MACHINE / SOFTWARE / CLASSES / CNSHELPER.CH.1]
[-HKEY_LOCAL_MACHINE / SOFTWARE / CLASSES / CNSMINHK.CNSHOK]
[-HKEY_LOCAL_MACHINE / SOFTWARE / CLASSES / CNSMINHK.CNSHOK.1]
[-HKEY_LOCAL_MACHINE / SOFTWARE / CLASSES / Interface / {1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / CLASS / TYPELIB / {A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / CLASS / TYPELIB / {AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / AdvancedOptions /! CNS]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {00000000-0000-0001-0001-596BAEDD1289}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CURRENTVERSION / Uninstall / CNSMIN]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {00000000-0000-0001-0001-596BAEDD1289}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {0F7DE07D-BD74-4991-9D5F-ECBB8391875D}] [- HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {5D73EE86-05F1-49ed-B850-E423120EC338}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {ECF2E268-F28C-48D2-9AB7-8F69C11ccb71}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Extensions / {FD00D911-7529-4084-9946-A29F1BDF4FE5}]
[-HKEY_CURRENT_USER / Software / 3721]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / Ocustomizesearch]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / OSearchassistant]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / CustomizeSearch]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Internet Explorer / Search / Searchassistant]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Explorer / ShellexecuteHooks / {D157330A-9EF3-49F8-9A67-4141AC41ADD4}]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run / CNSMin]
[-HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Runonce / EK_ENTRY]
[-HKEY_USERS / S-1-5-21-789336058-764733703-1343024091-1003 / Software / Microsoft / Internet Explorer / main / cnsautoupdate]
[-HKEY_USERS / S-1-5-21-789336058-764733703-1343024091-1003 / Software / Microsoft / Internet Explorer / main / cnsenable]
[-HKEY_USERS / S-1-5-21-789336058-764733703-1343024091-1003 / Software / Microsoft / Internet Explorer / Main / CNSHINT]
[-HKEY_USERS / S-1-5-21-789336058-764733703-1343024091-1003 / Software / Microsoft / Internet Explorer / main / cnslist]
[-HKEY_USERS / S-1-5-21-789336058-764733703-1343024091-1003 / Software / Microsoft / Internet Explorer / main / cnsmenu]
[-HKEY_USERS / S-1-5-21-789336058-764733703-1343024091-1003 / Software / Microsoft / Internet Explorer / main / cnsreset] ending: virus defeated, Tianyuan wins
(Although it was successfully deleted, it felt a good risk. If the virus added a function of banned the upper-level file to change the name, it really didn't fold. In order to prevent similar situations, finally found a thorough approach, see under)
Fourth round:
Smart readers probably, since there is no way to start the hard drive for the C disk is a FAT32 format, think of the solution I have found a solution - start the machine with the Win98 boot floppy disk, then remove the related files under the C., then start Use save.reg in safe mode to get the registry. The problem is - Most Win2K / XPs use new NTFS formats, Win98 boot floppy disk is not supported! How to do? The machine with a floppy drive can do a floppy disk that supports NTFS partition operations. You can do this with NTFSDOS (see http://www.yesky.com/20020711/1620049.SHTML). Without the same friend as the sky, don't forget the boot that Win2K / XP starts to join, not only to choose the operating system, but like LILO and GRUB under Linux, it is an operating system boot manager - change In order, if we can do a mobile system that reads and writes NTFS on the hard disk, use boot to boot, then you can implement the purpose of operating the C drive in the case where there is no floppy drive? Find this software on the network, which comes with a mirror file that supports reading NTFS, and uses simple, very foolified (details see http://www.yesky.com/softchannel/7235006842588348/20040226/1771849 .shtml, by the way, a new version of YFLOPPY has brought IMG files that support NTFS read and write). Then delete the 3721 related files, and then clean up the registry and delete the relevant file.
At this point, we finally rushed out our hard drive until the 3721 of the soul of the soul. !
Because many websites are based on various reasons, the 3721 download window will pop up when the page is displayed. It is easy to easily. You can shield the station and other malicious downloads in IE. Specific methods can be seen (http://www.yesky.com/20030416/1663721.SHTML).
As of the deadline, the Tianyu knows that many peer network management have been shielded on the gateway, preventing uninformed users from innocent. Network security is far away, but also relying on everyone's efforts to divide some harmful horses.
