Source: Qianlong Net Network Bull (NetBull)
Network Bulls and NetBull, is a domestic Trojan, the default connection port 23444, the latest version V1.1. After the server updoryerver.exe runs, it will automatically take Checkdll.exe, under C: / Windows / System, the next boot Checkdll.exe will run automatically, so it is very hidden, it is very harmful. At the same time, the following files are automatically bundled after the server runs:
Under Win9X: Bundle Notepad.exe; Write.exe, Regedit.exe, Winmine.exe, WinHelp.exe;
Under Winnt / 2000: (file change alarm will appear in 2000, but the following files cannot be blocked) Notepad.exe; regedit.exe, reged32.exe; drwtsn32.exe; WinMine.exe.
The third-party software (such as RealPlay.exe, QQ, ICQ, etc.) that is automatically run when the server is running. In the registry, the network bulls also quietly tied, as follows:
[HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Run] "Checkdll.exe" =
"C: /windows/system/checkdll.exe"
[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Runservices]]
"Checkdll.exe" = "c: /windows/system/checkdll.exe"
[HKEY_USERS / .DEFAULT / SOFTWARE / Microsoft / Windows / CurrentVersion / Run] "Checkdll.exe" =
"C: /windows/system/checkdll.exe"
In my opinion, the online bull is the most annoying. It does not use the file association function, which is the file bundle function, and the files listed above are bundled in one, and it is very difficult to clear! You may have to ask: Why don't you use this feature? Haha, there is still a lot of Trojans in the bundled way, and there is also a shortcoming: it is easy to expose yourself! As long as it is a slightly experienced user, it will find that the length of the file has changed, which is suspected that he has a Trojan.
Clear method:
1. Delete the self-starter C: /Windows/system/checkdll.exe of the network bull.
2. Remove all the key values established in the registry (all of the key values listed above).
3, check the files listed above, if the length of the discovery file changes (about 40K, you can be more known to compare with normal files on other machines)! Then click "Start -> Accessories -> System Tools -> System Information -> Tools -> System File Checkers", check "to extract a file (e) from the installation floppy disk" in the box, fill in the box The file to be extracted (the file you deleted in front), click the "OK" button, then press the screen prompt to restore these files. If you are running automatically, running, such as: RealPlay.exe, QQ, ICQ, etc. are bundled, then remove these files, reinstall it.
NETHIEF
Online God, NETHIEF, is the first rebound port type Trojan!
What is the "rebound port" type Tropics? After the characteristics of the firewall are analyzed: Most firewalls often make very stringent filtrations for connecting from the outside of this machine, but is negligible for the connection from this machine (of course, there are also two aspects of the firewall). It is very strict. Thus, in contrast to the general Trojan, the server side of the rebound port type Trojan uses the active port, the client (control terminal) uses the passive port. When the connection is to be established, the client is told by the client through the FTP homepage. : "Now connect to me!", And enter the listening state, after the server receives the notification, it will start connecting the client. For the sake of concealed, the client's listening port is generally opened at 80, so that even if the user uses port scan software to check its port, it is discovered similar "IP address of the TCP server: 1026 client IP address: 80. Established", Slightly neglect, you will think that you are browsing the web. The firewall will think so, I think there is probably no firewall will connect to the user to the 80 port.
嘿嘿. The latest newsletter: At present, domestic Trojan masters are experimenting with a large scale (use) the Trojan, the network hob has begun to popular! China Troists is also increasing, everyone should be careful!
Clear method:
1. Network God's thief builds key value "Internet" under the registry hkey_local_machine / currentversion / run, its value is "Internet.exe / S", deleted the key value;
2. Remove its self-starter C: /Windows/system/internet.exe.
OK, the gods ended!
Way2.4 (fire phoenix, rogue porn)
Way2.4 is also known as fire phoenix, rogue, is a domestic Trojan, the default connection port is 8011. Many Trojan masters are in the introduction of this Trojan, and the powerful registry control function is full, but it is because of this threat to us. From my experimental situation, the registry operation of Way2.4 does have characteristics, and read and write the controlled registry, and is as convenient to read and write the local registry! This is more than enough glasses that are familiar with, the Glacial registry operation is not so intuitive - I have a character every time I have a character, and Way2.4 can be said to be a wooden horse in the registry manipulation.
Way 2.4 The server is running after running under C: / Windows / system, the icon is the icon of the text file, very concealed, file size 235,008 bytes, file modification time May 30, 1998, it seems It wants to pretend to be system files msgsvc32.exe. At the same time, WAY2.4 creates string values Msgtask under the registry hkey_local_machine / software / microsoft / windows / currentversion / run, whose key value is c: /windows/system/msgsvc.exe. If you use the Process Management tool, you will find the process c: /windows/system/msgsvc.exe in column!
Clear method:
To clear Way, just delete the key value in the registry, then remove the Msgsvc.exe under the C: / Windows / System. Be careful to delete msgsvc.exe under Windows is deleted, at this point you can use the process management tool to terminate its process and then delete it. Or delete MSGSVC.exe under DOS. If the server has been bundled with the executable file, then only the executable file is also deleted! Please make a backup before deleting. Ice river
The glacier can be said to be the most famous Trojan, and even users who have just contacted the computer have heard of it. Although many anti-virus software can kill it, but there are still hundreds of thousands of ice rivers in China. As a Trojan, the Ice Created has created the most people used, the miracle of the most people! Nowadays, there are many glacial variants, which we introduce it here is its standard version, which is easy to clear the standard version, and then to deal with the ice can be easier.
The G-Server.exe, the client program is G-Client.exe, the default connection port is 7626. Once runs G-Server, then the program generates kernel32.exe and sysexplr.exe in the C: / Windows / System directory, and deletes itself. KERNEL32.EXE is automatically loaded when the system is started, and the SYSEXPLR.EXE and TXT files are associated. Even if you delete kernel32.exe, as long as you open TXT files, sysexplr.exe will be activated, which will generate kernel32.exe again, so the ice river is back! This is the reason why the Ice River has repeatedly deleted.
Clear method:
1. Delete the kernel32.exe and sysXplr.exe files under C: / Windows / System.
2, the ice river will be in the registry hkey_local_machine / Software / Microsoft / Windows / CURRENTVERSION
/ Run root, the key value is c: /windows/system/kernel32.exe, delete it.
3. Under the hkey_local_machine / currentversion / runservices of the registry, the key value is C: /Windows/system/kernel32.exe, but also delete.
4, finally, change the default value under HKEY_CLASS_ROOT / TXTFILE / Shell / Open / Command, C: / Windows/System/SYSEXPLR.EXEPAD is changed to normal by Zhongmum Horse, C: / Windows / NotePad .exe% 1, you can restore the TXT file association function.
Guangxiang girl
Guangwai girls are the vocational pairs of Guangdong Foreign Trade University, "Guangwai Girl" network team, is a new remote monitoring tool, which is very destructive, remote upload, download, delete file, modification registry, etc. naturally. It is terrible that after the extensive girls server is executed, it will automatically check if the process contains "Jinshan Drug Dynamics", "Firewall", "iParmor", "TCMonitor", "LockDown", "LockDown", "Kill". , "Tianwang" and other words, if discovery, the process is terminated, that is, make the firewall lose their role!
After the Trojan runs, you will generate a copy of your own copy in the system's system directory, and the name of Diagcfg.exe is associated .EXE file, if the file is deleted, it will cause all the system. The EXE file cannot be opened.
Clear method:
1. Since the file cannot be deleted when the Trojan is running, start to pure DOS mode, find Diagfg.exe under the System directory, delete it. 2. Since the diagcfg.exe file has been deleted, any .exe file will not be able to run in a Windows environment. We found the registry editor "regedit.exe" in the Windows directory, rename it "regedit.com".
3. Go back to Windows mode, run the regedit.com program under the Windows directory (that is, the file we just changed).
4, find hkey_classes_root / exec / shell / open / command, change its default key value to "% 1"% *.
5. Find hkey_local_machine / software / microsoft / windows / currentversion / runservices, delete the key value of the name "Diagnostic Configuration".
6, turn off the registry editor, return to the Windows directory, change "regedit.com" back to "regedit.exe".
7, complete.
Smart gene
Smart genes are also domestic Trojans, the default connection port 7511. The server file GENUEServer.exe, with the HTM file icon, if your system is set to not display the file extension, then you will think that this is an HTM file, it is easy to be fooled. Client file GenueClient.exe. If you accidentally run the server file GenueServer.exe, it will be installed to start IE, let you further think that this is an HTM file, and generates a GenueServer.htm file after running, or it is used to confuse you! How is it, is it nothing?
Haha, Trojans are like this, lie to you have no discussion! Smart genes are file-related Trojans, three files are generated after running, namely: c: /windows/mbbManager.exe and Explore32.exe and C: /Windows/system/Editor.exe, these three files They are all HTM file icons, if not pay attention, I really think they are HTM files!
Explore32.exe is used to associate with the HLP file, and MbbManager.exe is used to load running, editor.exe is used to associate with the TXT file, if you find and delete MbbManager.exe, will not really clear it. Once you open the HLP file or text file, Explore32.exe and Editor.exe are activated! It generates a daemon MbbManager.exe again! Want to clear me? Not so easy!
The most terrible intelligence gene is the function of its permanently hidden remote host drive. If the control is selected, the controlled end can be miserable, want to retrieve the drive? Oh, it is not so easy!
Clear method:
1. Delete the file. Delete MbbbManager.exe and Explore32.exe under C: / Windows, then delete the editor.exe file under C: / Windows / System. If the server is already running, then you have to terminate the MbbManager.exe process with the process management software, then remove it under Windows. You can also remove MbbManager.exe under pure DOS, and editor.exe can be deleted directly under Windows.
2. Delete the self-start file. Expand the registry to HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / RUN, delete key value "MainBroad Backmanager", which is c: /windows/mbbManager.exe, which is loaded every time it is turned on, so delete Don't be soft! 3. Restore the TXT file association. Smart gene will register the default key value under the registry hkey_classes_root / txtfile / shell / open / command by c: /windows/notepad.exe% 1 to C: /Windows/system/Editor.exe% 1, therefore to restore the original value. Similarly, under the hkey_local_machine / shell / open / command of the registry, the default key value at this time is changed from C: /Windows/system/Editor.exe% 1 to C: / Windows / NotePad .Exe% 1, this will recover the TXT file.
4. Restore the HLP file association. The clever gene changed the default key value under the registry hkey_classes_root / hlpfile / shell / open / command / hlpfile / shell / open / command / command to C: /Windows/explore32.exe% 1, so restore the original value: c: /windows/winhlp32.exe% 1. Simultaneously, under the hkey_local_machine / shell / open / command of the registry, the default key value at this time is changed from c: / windows/explore32.exe% 1 to c: /Windows/winhlp32.exe % 1, this will recover the HLP file.
Ok, you can say "goodbye" with the smart gene!
Black hole 2001
Black hole 2001 is a domestic Trojan, the default connection port 2001. The terrible of black holes is that it has a powerful process function! That is to say, the control end can terminate a certain process of the controlled end, if this process is a firewall, such as the Tianwang, then your protection is all, hacker can be driven directly, in your system.
After the black hole 2001 server is executed, two files will be generated under the C: / Windows / System, one is s_server.exe, s_server.exe is the direct copy of the server, using the folder icon, must be careful. This is an executable file, it is not a folder; the other is Windows.exe, the file size is 255,488 bytes, which is an unfained type icon. Black hole 2001 is a typical file related Trojan, the Windows.exe file is used immediately when the machine is turned on, and open the default connection port 2001, the s_server.exe file is used to connect to the TXT file (ie association)! When the Troists discovers the Trojans in DOS, after deleting the Windows.exe file under DOS, the server is temporarily closed, ie temporarily deleted it, when any text file is running, the hidden s_server.exe Trojan file is also Hurred, so it generates a Windows.exe file again, that is, Trojans are also entered!
Clear method:
1), change the default key value under HKEY_CLASS_ROOT / TXTFILE / Shell / Open / Command from s_server.exe% 1 to C: /Windows/Notepad.exe% 1
2), the default key value of hkey_local_machine / Software / Classes / txtFile / Shell / Open / COMMAND is changed from s_server.exe% 1 to C: /Windows/NotePad.exe% 13), will hkey_local_machine / Software / Microsoft / Windows CurrentVersion / RunServices / string value Windows delete.
4) Remove the WinVXD primary key under HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE / SOFTWARE / CLASSES.
5) Under C: / Windows / System, remove these two Trojan files for Windows.exe and S_Server.exe. It should be noted that if there is already a black hole 2001, then Windows.exe cannot be deleted directly in a Windows environment. At this time we can delete it in the DOS mode, or use the process management software to terminate the process of Windows.exe. , Then remove it again.
At this point, it is safe to clear the black hole 2001.
Netspy (Network Elf)
Netspy and Name Network Elf, is a domestic Trojan, the latest version is 3.0, the default connection port is 7306. In this release, the registry editing function and browser monitoring feature are added, and the client can now do remote monitoring through IE or NaviGate! Its power is not inferior to the ice and BO2000! After the server program is executed, the NetSpy.exe file is generated in the C: / Windows / System directory. At the same time, the key value C: /Windows/system/netspy.exe is established in the registry hkey_local_machine / currentversion / run / down / down / down / down / down, which is used to automatically load operation when the system is started.
Clear method:
1. Restart the machine and press the F5 key to enter the command line status when the Staring Windows prompt appears. Enter the following command in the C: / Windows / System / Directory: Del Netspy.exe Enter!
2. Enter the registry hkey_local_machine / software / microsoft / windows / currentversion / run /, remove NetSpy securely to remove Netspy.
Subseven
Subseven's functionality is more than a famous BO2K. The latest version is 2.2 (default connection port 27374), the server is only 54.5K! It is easy to be bundled to other software without being discovered! The latest version of the anti-virus software and other anti-virus software can't find it. Server server server.exe, client program Subseven.exe. After the Subseven server is executed, the multi-end is changed, and each start-up process name will change, so it is difficult to find.
Clear method:
1. Open the registry regedit, click on: hkey_local_machine / software / microsoft / windows / currentversion / run and runservice, if there is a loading file, delete the item on the right: loader = "C: / Windows / system / *** ". Note: The loader and file name are randomly changed.
2, open the Win.ini file, check "Run =", have you plus a executable file name, if it is deleted.
3, open the System.ini file, check if "shell = explorer.exe" has some file, if you delete it.
