Wininit.ini files and Windows Virus Zhou Zhifang ★ Have a message with Windows 9X have seen the following prompt information: please wait for setup Updates your configuration Files.this May Take a Few Minutes ... In installation Software or hardware The above information is often seen when Windows is restarted when the driver is installed. We often think this is the normal activities of Windows, never linked to the virus. This article will tell you with facts: If your machine is not in no reason, you have to go to find the latest anti-virus software! What is WINDOWS? In fact it is executing the instruction given by Wininit.ini. WininIt.ini is a well-known document that is mainly used to delete, rename and update files that cannot be applied to these operations when Windows runtime. It has a short time, so it looks a little mysterious. First, the Wininit file work mechanism is well known, in Windows, an executable If you are running or a library file (* .dll, * .vxd, * .sys, etc.) is being opened, and cannot be rewritten or deleted. For example: You cannot delete /Windows/Explorer.exe in the Explorer. In the GDI interface of Windows, some files have been in this state. In addition to Explorer.exe, there are also display driver library files, file subsystem library files, etc. If we want to upgrade, change these files, It must be carried out before the core of the Windows protection mode. So Windows provides a mechanism based on the Wininit.ini file to complete this task. This mechanism is: To delete or rewrite the application of such files to write commands in a certain format; Windows searches for wininit.ini files in the Windows directory, if found, follow this file Directive delete, rename, update files, after completing the task, will delete the WininIt.ini file itself and continue the startup process. So the instructions in the wininit.ini file will only be executed once, and there is usually no trace when the column directory is. The format of the wininiT.ini file is as follows: Windows 95 Resource Kit is mentioned in the wininit.ini file, but only the [Rename] segment is described. Although named [Rename], the function of deleting, renovating, and updating files can be implemented. The format is: [Rename] ... filename1 = filename2 ... row "filename1 = filename2" equivalent to execute "Copy FileName2 FileName1" and "DEL FileName2" two DOS commands. When startup, Windows will override filename1 with filename2, then delete filename2, which implements the purpose of updating filename1 with filename2; if filename1 does not exist, the actual result is refreshing filename2 to filename1; if you want to delete files, you can make FileName1 is NUL, For example: [Rename] ... NUL = filename2 ... will delete filename2. The above file names must contain the full path. Note: Due to the WinInit.ini file, long file name is not supported before the Windows file system is transferred. Wininit.ini has a lot of applications, in addition to frequently used in a hardware and software installer, it is also used in the uninstaller of the hardware and software.
For example: Suppose you want to write an uninstaller for your own software, this uninstaller itself is impossible to be deleted by himself, because it is trying to delete itself, but it is running itself. In order to clear the uninstaller itself, you have to use the Wininit.ini file. By the way, in the final stage of installing Windows, it is to use the wininit.ini file to clear and rename the file used by the installer setup itself. Second, the technology in the new Windows virus is completed from the transfer from the DOS platform to the Windows platform. Unfortunately, a large number of Windows 9X virus marks the virus also completed this transfer. When Windows viruses have encountered such a problem: some files, because the system is being used, cannot be rewritten, being infected. Early Windows viruses such as CIH viruses use VXD technology to solve this problem, which is easy to cause system unstable. Most of the later viruses use the standard method provided by Windows -Wininit.ini files to solve this problem, such as the following new Windows viruses. 1. Win32.kriz This virus is also called Christmas virus, memory residential shape, with versatile. The virus is extremely dangerous, and the CMOS will override all the files on all drives during December 25, and then destroy the Flash Bios on the motherboard with the same program in the CIH virus. The viral infection * .exe (PE format) and * .scr file, in order to monitor all file operations, it infects kernel32.dll, take over file copy, open, mobile and other file access functions. Since the kernel32.dll file can only be opened in a read-only mode when Windows is running, infect it, the virus copies it, named Krized.tt6, then infects the replica Krized.tt6, write the rename directive to Wininit.ini In the file, when the next machine starts, Krized.tt6 will replace the original kernel32.dll to complete infection. 2. Suppl.a Worm This is a Word macro insects that insert a Troy document as an attachment by inserting an e-mail. When the attachment is opened, the virus COPY document is used to Anthrax.ini, and the data to be expanded is written to the file dll.lzh and decompressed to DLL.TMP, and the above file is placed in a Windows directory. Next, this worm creates a Wininit.ini file with the following: [Rename] null = c: /windows/dll.lzhc: /windows/system/wsock33.dll= c: /windows/system/wsock32.dllc: / Windows / system / wsock32.dll = C: /Windows/dll.tmp first line is to delete dll.lzh, the second line is to rename the original WSOCK32.DLL to WSOCK33.DLL, the third line, the DLL.TMP is renamed WSOCK32.DLL. These instructions will take effect when the next step is started. In this way, WSOCK32.DLL is infected. With it, the worm can monitor outgoing mail, once the outgoing mail, the worm automatically adds Troy documents as an attachment to the message. After 7 days of infection, the virus will set all the DOCs, XLS, TXT, RIF, DBF, ZIP, ARJ, RAR, and destroy all data files on the hard disk. 3. HEATHEN virus multi-platform virus, infected Word documentation and PE format EXE file.
In order to infect Explorer.exe, the virus first copies Explorer.exe to Heathen.Vex, then add an [Rename] instruction to the Wininit.ini file, for example: [Rename] C: /Windows/explorer.exe=c: / windows / When Heathen.Vex starts next time, Windows will help it complete the infection of Explorer.exe. In addition, the viral seizures also uses WininIt.ini to delete the Windows registry file. [RENAME] NUL = C: /Windows/system.datnul=c: /windows/user.datnul=c: /windows/system.da0nul=c: /windows/user.da04. Win95.sk This is one of the most fierce, most embarrassing viruses, some of the original bugs, and now have an updated version, correct all bugs in the first version. It is a parasitic Windows virus that is infected with Windows PE format files, HLP help files, compressed package files (RAR, ZIP, ARJ, HA). It uses many new advanced technologies, such as: self-decryption technology, entrance point hidden technology, etc. When the file is accessed on the disk, it checks its file name, if it is a few anti-virus programs (Adware, AVPI, AVP, VBA, DRWEB), the virus will delete all directories from C: disc to z: disk All files that can be deleted, then call the function Fatal_Error_Handler to crash. Windows Shell File Explorer.exe is a WINDOWS virus, which naturally doesn't go, but is more perfect than other viruses, which gets the shell file name by "shell =" in the System.ini file. In this way, even if you rename the Explorer.exe, specify the actual file name in the shell, it is expected to avoid being infected, it is also futile. The specific steps of it infected with the shell file are: Take Explorer.exe as an example, copying Explorer.exe to Explorer.exf, then infecting Explorer.exf, then creates a WininIt.ini file, and write the appropriate Rename instruction. This is the same as other viruses. For the above reasons, some real-time virus monitoring software has been listed as a key monitoring object. Third, using Wininit.ini to completely kill the virus to kill viruses in the Windows platform, it will encounter similar problems: How to clear the virus in the dyed file that is running or in open state? Understand the working mechanism of Wininit.ini files, we can design anti-virus software: When you find a dyed file, you can copy a copy because it is in an open state or execution state, and you can copy it and copy the replica. Direction, then create a Wininit.ini file in the Windows directory (you want to check if the wininit.ini file is existed), create the [Rename] segment, join a line: Dyed file name = replica file name; continue cleaning Virus, if you find similar documents, you can add a line in [Rename]; you should strongly recommend that users restart or simply forcibly restarted to perform Wininit.ini, complete the entire etch process. ................................ Beijing Tianren Letter Network Security Technology Co., Ltd. CopyRight (C) 2000 All Rights Reserved. All rights reserved
This Website is designed by li zhifu all rights reserved !! Contacted me by e-mail:
Mailto: Mohom@sina.com
