Author: Tian Yuan, qq: 354887 reprinted please note
Recently, an Intranet user reported that a plug-in named "3721 Chinese Real Name" was prompted to be installed on some websites. Some users accidentally click the "Install" option without knowing it, as a result, it is difficult to remove the virus from the hard disk. Although tianyuan is a network administrator, it does not use much of the Windows operating system and never used the plug-in named 3721. However, the users were anxious and agreed to do their best. After several attempts, I finally cut it down.
The following describes the virus removal experience and solutions.
Tianyuan uses a Windows XP machine to access the website provided by the user, download and execute the plug-in. The plug-in is in Chinese. It takes effect after the machine is automatically installed and restarted, and comes with the uninstall function. Through comparison and observation before and after installation/uninstall, tianyuan confirmed that the plug-in is indeed a virus because of its resident nature, its own protection, and the high loss on system performance!
Virus attack:
The "Search" function of the browser is automatically redirected to a website named www.3721.com, which is a Chinese site and cannot be modified;
Forcibly add icons such as "situational chat" and "Internet acceleration" to user ie;
Refresh the key values of the Registry to successfully reside and consume a large amount of user host resources;
Each time the server is loaded and the process protection function is provided, it is difficult to kill it under normal windows Startup;
5. With the automatic upgrade function, the virus will be upgraded in the background every time the user accesses the Internet using ie;
Virus features:
The uninstall function is provided. This virus provides uninstall programs to hide itself and paralyze plug-in users. However, according to tianyuan's usage, it is found that after the virus is uninstalled, the virus program will remain resident, load it at startup, and monitor and rewrite the registry;
Network upgrade is adopted. To prevent users and anti-virus software from being killed, the virus is regularly upgraded online, similar to other mainstream Windows viruses in the near future, however, it is worth mentioning that the virus has a public website www.3721.com, which is similar to portal and service websites and is highly fraudulent;
Loading in the driving mode. This feature is a technical leap in virus writing in the recent period. It adopts the drive mode loading and hook mounting, difficult to scan and kill in windows (after detailed technical discussions );
You can enter Chinese characters in the address bar of your browser and then go to your site to search for keywords. Some time ago, the shock wave Nemesis virus automatically connected the user's machine to update.Microsoft.com after infecting the user's machine. It seems that the new virus is more and more fond of providing some alternative functions;
Passive transmission: some sites are used for transmission, rather than actively infecting other machines. This is similar to the popular "Beauty pictures" virus. From active to passive, some new virus features this year;
Detailed virus analysis:
When a user accesses the site, a control download window pops up prompting the user to download and install the service. On the surface, the user is prompted to provide the Chinese real-name service, which will entice the user to install the service;
Modify user files and registries in multiple places during installation;
Add file:
In the Documents and SettingsAll Users Start Menu \ Program Network Real Name \ directory, add
Learn more about network real name. url 86 bytes
Clear Internet record. url 100 bytes
Internet Assistant. url 99 bytes
Detach network real name. lnk 1,373 bytes
Fixed browser. url 103 bytes
Add under WINDOWSDownloaded Program Files
Assis. ico 5,734 bytes
Cns02.dat 1,652 bytes
CnsHook. dll 56,320 bytes
CnsMin. cab 116,520 bytes
CnsMin. dll 179,712 bytes
CnsMin. inf 378 bytes
Sms. ico "6,526 bytes
Yahoomsg. ico 5,734 bytes
In the WINDOWSSystem32Drivers directory, add
CnsminKP. sys
Add the registry key value:
Add the HKEY_LOCAL_MACHINESOFTWARE3721 primary key with multiple subkeys and attribute values;
Add a primary key under HKEY_LOCAL_MACHINESOFTWAREClassesCLSID
{B83FC273-3522-4CC6-92EC-75CC86678DA4}
{D157330A-9EF3-49F8-9A67-4141AC41ADD4}
Two subkeys
3. Add a primary key under HKEY_LOCAL_MACHINESOFTWAREClasses
CnsHelper. CH
CnsHelper. CH.1
CnsMinHK. CnsHook
CnsMinHK. CnsHook.1
Four subkeys
4. Add a primary key under HKEY_LOCAL_MACHINESOFTWAREClassesInterface
{1BB0ABBE-2D95-4847-B9D8-6F90DE3714C1} subkey
5. Add the HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib primary key
{A5ADEAE7-A8B4-4F94-9128-BF8D8DB5E927}
{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}
Add a primary key under HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet assumeradvancedoptions
! CNS subkey
Add a primary key under HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet assumerextensions
{201710000-0000-0001-0001-596baedd1289}
{0F7DE07D-BD74-4991-9D5F-ECBB8391875D}
{5D73EE86-05F1-49ed-B850-E423120EC338}
{ECF2E268-F28C-48d2-9AB7-8F69C11CCB71}
{FD00D911-7529-4084-9946-A29F1BDF4FE5} Five child keys
Add a primary key under HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet assumersearch
CustomizeSearch
OcustomizeSearch
SearchAssistant
OsearchAssistant sub-keys
Add a primary key under hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks.
{D157330A-9EF3-49F8-9A67-4141AC41ADD4} subkey
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
CnsMin subkey
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
EK_Entry subkey (note that this key will take effect the next time you start the machine, which will generate the most annoying part, which will be described later)
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall
CnsMin subkey
Added under HKEY_CURRENT_USERSoftware
3721 subkeys
HKEY_CURRENT_USERSoftwareMicrosoftInternet assumermain added
CNSAutoUpdate
CNSEnable
CNSHint
CNSList
CNSMenu
CNSReset
After the computer is restarted, The EK_Entry in RunOnce takes effect. In the registry, the most evil CnsMinKP key value is generated, at the same time, CnsMinKP is generated under the windows/system32/drivers directory of the system disk. sys file, which begins with a nightmare.
Because win2k/xp automatically runs all drivers under windows/system32/drivers at startup (including safe mode), CnsMinKP. sys is loaded, and one of the functions of this driver is to ensure Cnshook under the windows/Downloaded Program Files directory. dll and CnsMin. dll and its own are not deleted; Cnshook. the function of dll is to provide the Chinese real name function, CnsMin. dll is used to make it resident in the ie process. To ensure the highest priority of CnsMin, a timer function is used to install hooks repeatedly, resulting in a reduction in system performance. On the machine tested by tianyuan, the performance is reduced by about 20%. Moreover, due to hook force mounting, frequent errors may occur when you use breakpoint debugging programs, this is similar to the winzip operation and shutdown caused by cih in earlier versions. (For detailed technical details, refer to the article titled [reprinting] 3721 Simple Study of resident mechanism, address is http://www.nsfocus.net/index.php? Act = sec_doc & do = view & doc_id = 894 Original Author Quaful @ Shui Mu Tsinghua)
Anti-deletion features:
Although the virus comes with a so-called "uninstall program", the program/registry key value in the core part is still not deleted. Moreover, the virus uses various technical means and has extremely powerful anti-deletion features.
The CnsMinKP in windows/system32/drivers will be loaded when the windows system starts (including safe mode. sys, the driver filters out the deletion operations on itself and related important files and registries. Every time you try to delete the key file and registry key of 3721, a TRUE value is directly returned, making Windows think that the deletion is successful, but the file and registry are still there.
Technical highlights:
Tianyuan has to admit that the 3721 virus plug-in can be called the most difficult virus to clear since I used it as a network administrator. In recent years, the virus has made several major breakthroughs: cih is infected with the upgradeable bios, red code, windows Shared expansion result, meliza let us see what is the virus of the source program, mssqlserver worm let us notice that computer viruses can attack not only nodes, network devices, and shock wave viruses make us realize the terrible security vulnerabilities that occur when the same operating system is used in large quantities. The beauty picture virus makes us know how to combine the art of deception with software vulnerabilities. the power of the virus, and this 3721 virus showed for the first time the powerful anti-deletion feature of the virus, it can be said that viruses cannot be killed in windows. Although this is a benign virus, it does not damage the system, but according to the history of the virus development, it is foreseeable that this almost perfect anti-deletion technology will soon be used by other viruses, it will soon be used by other viruses. When combined with network communication, the local network will be infected with viruses with powerful anti-deletion functions, which may bring the greatest test of anti-virus software on the current windows platform. This experience also made me realize the crisis behind Microsoft's windows operating system's humanization, visualization, and stupidity. As an it peer, I personally admire the technologies used by the authors of the 3721 virus, but the Pandora magic box of the new virus has been opened by them:
In the history of known viruses, only a few viruses have previously used system32/drivers programs under windows nt to be automatically loaded for propagation, however, if the virus is not well written, the windows nt System will frequently crash on the blue screen. Like the 3721 plug-in virus, the system can load and resident other processes perfectly, consuming only host resources, it is the first time in China and abroad to monitor the registry and key files that do not cause system errors. The technology is more mature than the previous viruses;
Just as tianyuan and everyone have discussed how win2k, which has not been installed with sp2 or above, can download sp4 online and install the patch. Because CnsMinKP. sys is bound to be loaded when the server is started. If you do not want to load it, you must enter the Registry to rewrite the corresponding CnsMinKP key value or delete the file. However, due to CnsMinKP. sys filters out deletion operations on itself and related important files and registries. Every time you try to delete the key file and registry key of 3721, a TRUE value is directly returned, making Windows think that the deletion is successful, but the file and registry are still there. In this way, the registry cannot be modified or files cannot be deleted, which makes our traditional countermeasures against viruses and Trojans impossible.
Resident in the ie process and automatically upgrade to ensure that the virus is extremely powerful