This is a virus written using [Borland C + +]. When the system is infected, opening IE or other browser start page is tampered with as hxxp://wxw.3448.c0m/. Viruses protect themselves by using API hooks. Download and execute through other malicious programs or downloads, using random file names to achieve the masking filename cleanup mode. After the virus runs the following behavior: First, the virus by modifying the registry softwaremicrosoftwindowscurrentversion UN to achieve the start of the automatic operation. The virus is mainly loaded by Rundll32.exe. Virus also infects Tencent QQ TimProxy.dll file import table, can be loaded when users start QQ. After loading, use the message hooks to inject the processes and do different actions according to the process name. Mainly include: 1, Hook process API, self-protection. 2, injected in the QQ.EXE process, only do modify the registry action. 3, injected in the EXPLORER.EXE process of the virus mainly to do the action. (1) The main damage registry Safeboot key, resulting in access to safe mode. (2) downloading files and updating them by file type, running or replacing hosts files. (3) Infected Tencent QQ TimProxy.dll file import table. The virus that is loaded via Rundll32.exe will copy itself to the system directory (%systemdir%) and the driver directory (%systemdir%drivers). Third, modify the registry key values: Registry key: Softwaremicrosoftinternet Explorermain data item: "Start Page" data value is: "Http://www.3448.com" Registry key: Softwaremicrosoftinternet Explorersearch data item: "Customizesearch" Data value is: "Http://www.3448.com" Registry key: Softwaremicrosoftinternet Explorersearch data item: "SearchAssistant" Data value is: "Http://www.3448.com" four, The search process name or the process in which the window text contains the following string is discovered and the computer is turned off. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) The original text: Analysis of rogue software "3448" back to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
