About the recent flood of gray pigeon viruses (Huigezi and Gpigeon)

Post transferred from the original Forum jakee:
Recently, many netizens have reported that their machines contain a trojan virus called the gray pigeon, which is very stubborn and has different names on different soft targets, such as Gpigeon, Huigezi, and Feutel, it is very troublesome to clear it in the computer, especially the 2005 that it just developed. By Intercepting windows System APIs, program file hiding, process hiding, and service hiding are realized, generally, no virus files can be found in normal mode, not to mention the virus files. Even the virus files are hard to deal with, it is a headache for users, this article briefly introduces the operating principle of the gray pigeon virus, including manual detection, manual removal, and precautions for preventing infection. Most of the content is collected, sorted, and processed by the Internet, if your interests are violated, please point out that I am correcting it immediately.
1. Introduction to the gray pigeon Virus
Gray pigeon is a famous backdoor in China. Compared with the glaciers and black holes of its predecessors, the gray pigeons can be said to be the major producers of domestic backdoors. Its rich and powerful functions, flexible operations, and good hiding make other backdoors look inferior. Simple and Convenient client operations enable beginners to become hackers. Gray pigeon is an excellent remote control software when used legally. But if you use it to do something illegal, the gray pigeon becomes a powerful hacker tool. This is like gunpowder, which is used in different occasions and has different effects on humans. The complete introduction to the gray pigeon may only be clearly explained by the gray pigeon author. Here we can only give a brief introduction.
The gray pigeon client and server are both written in Delphi. Hackers use the client program to configure the server program. Configurable information mainly includes the online type (such as waiting for a connection or active connection) and the Public IP (Domain Name) used for active connection), connection password, used port, startup Item Name, service name, process hiding mode, used shell, proxy, icon, and so on.
The server has various Connection Methods for clients, which may cause viruses to users in various network environments, including LAN users (through proxy Internet access), Internet users, and ADSL dial-up users.
The following describes the server:
The configured service end file is g_server.exe (this is the default file and can also be changed ). Then, hackers use a simple method to trick users into running the g_server.exe program. Here we will not go into details about the specific method used so that readers can make full use of their imagination.
G_Server.exe copy itself to the Windows directory after running (98/xp is the windows directory of the system disk, 2 k/NT is the Winnt directory of the System Disk ), then release G_Server.dll and G_Server_Hook.dll from the body to the windows directory. G_Server.exe, G_Server.dll, and G_Server_Hook.dll are combined to form the gray pigeon server. G_Server_Hook.dll is used to hide the gray pigeon. Call the intercepted process API to hide the file, service registry key, and even the module name in the process. The intercepted functions are mainly used to traverse files, the registry keys, and some functions of the Process Module. Therefore, in some cases, users may feel poisoned, but they cannot find any exceptions after careful checks. Some gray pigeons release a file named G_ServerKey.dll to record keyboard operations. Examples, A. dll, and A_Hook.dll.
The g_server.exe file in the Windows directory registers itself as a service (the 9X system writes the Registry Startup item), and runs automatically every time it is started. After running, start G_Server.dll and G_Server_Hook.dll and exit automatically. The G_Server.dll file implements the backdoor function and communicates with the control client. G_Server_Hook.dll hides viruses by blocking API calls. Therefore, after virus poisoning, we cannot see the virus file or the service items registered with the virus. With the different settings of the gray Pigeon Service end file, g_server_hook.dllsometimes comes in the process space of assumer.exe, and sometimes is attached to all processes.
The author of the gray pigeon spent a lot of effort on how to escape anti-virus software detection and removal. Due to the interception of some API functions, it is difficult to traverse the files and modules in normal mode, which makes it difficult to scan and kill. It is also difficult to uninstall the gray pigeon dynamic library and ensure that the system process does not crash. This has caused the recent flood of gray pigeons on the Internet.
2. manual inspection of gray pigeon
Because the gray pigeon intercepts API calls, the server program files and the service items it registers are hidden in normal mode, that is, even if you set "show all hidden files", you cannot see them. In addition, the file names on the gray pigeon server can be customized, which makes manual detection difficult.
However, after careful observation, we found that the detection of gray pigeons is still regular. According to the operating principle analysis, no matter what the custom Server File name is, a file ending with "_ hook. dll" is usually generated under the installation directory of the operating system. Through this, we can more accurately manually detect the gray pigeon server.
In normal mode, the gray pigeon will hide itself, so the operation to detect the gray pigeon must be performed in safe mode. To enter safe mode, start the computer and press F8 before the system enters the Windows Startup screen (or press Ctrl when the computer is started ), select "Safe Mode" or "Safe Mode" from the menu that appears ".
1. Because the gray pigeon file has hidden properties, you must set Windows to display all files. Open "my computer", select "Tools"> "Folder Options", and click "View" to cancel the check before "Hide protected operating system files, select "show all files and folders" in "hide files and folders" and click "OK ".
2. Open "search file" in Windows and enter "_ hook" in the file name. dll, and select the Windows Installation Directory (default 98/xp is C: \ windows, 2 k/NT is C: \ Winnt ).
3. After searching, we found a file named Game_Hook.dll in the Windows directory (excluding subdirectories.
Secret and Game. dll files. Open the Windows directory, and there are these two files, and a GameKey. dll file used to record keyboard operations.
　
After these steps, we can basically confirm that these files are the gray pigeon server. Then we can manually clear them.
3. Manual removal of gray pigeons
After the above analysis, it is easy to clear the pigeon. To clear the gray pigeon program files, you still need to operate in safe mode. There are two main steps: 1. Clear the service of the gray pigeon; 2. Delete the program files of the gray pigeon.
Note: To prevent misoperation, make sure to back up the data before clearing it.
(1) Service for clearing gray pigeons
Note that the Service to clear the gray pigeon must be completed in the registry. If you are not familiar with the Registry, please contact someone you are familiar with. To clear the gray Pigeon Service, you must back up the Registry first, or rename the Registry file under pure DOS, and then delete the services of the gray pigeon in the registry. Because the virus will be associated with the EXE file
2000/XP system:
1. Open the Registration Table Editor (click "Start time", click "run", and enter "regedit.exe", OK .), Open the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services registry key.
2. Click the menu bar and edit "audio-extract". Click "g ". Click "OK" to find the service items of the gray pigeon (in this example, Game_Server, each person has a different service item name ).
3. Delete the entire Game_Server item.
98/me system:
In 9X, there is only one startup item for the gray pigeon, so clearing is easier. Run the Registry Editor and open the HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runitem. You can delete the game.exe item immediately after you see the item named game.exe.
(2) Delete the gray pigeon program file
Deleting a program file is very simple. You can only delete the game.exe, Game. dll, Game_Hook.dll, and Gamekey. dll files in the Windows directory in a security mode, and then restart the computer. So far, the VIP 2005 server has been cleared.
The method described above applies to most of the gray pigeon Trojans and their variants we see. However, there are still a few variants that cannot be detected or removed using this method. At the same time, with the continuous release of the new version of the gray pigeon, the author may add some new hidden methods, anti-deletion means, manual detection and removal of it will become more and more difficult.
4. Precautions for preventing the gray pigeon Virus
1. Install patches for the system. Install system patches (critical updates, security updates, and Service packs) through Windows Update, where MS04-011, MS04-012, MS04-013, MS03-001, MS03-007, MS03-049, MS04-032, etc are widely used by viruses, is a necessary patch.
2. Set a complex and strong enough password for the system administrator account, preferably a combination of over 10 characters, letters, numbers, and other symbols. You can also disable/delete unused accounts.
3. The anti-virus software (virus database) is updated frequently and can be set to automatically updated on a daily basis. Install and use the network firewall software properly. The network firewall can also play a crucial role in the anti-virus process and effectively block attacks and virus intrusions from the self-built network. Some Pirated Windows users cannot install patches normally, which is also helpless. This part of users may wish to use the network firewall for some protection.
4. disable unnecessary services. If conditions permit, you can disable unnecessary sharing, such as C $ and D $. A single-host user can directly shut down the Server service. These can be closed with optimization software such as the winxp manager.
Paste. Posted as Bon Jovi in the Yifan virus rescue zone
Gray pigeon Vip 2005 Cleaning Device
Http://ftpe.ttian.net/2005/07/DelHgzvip2005Server.zip
BlackHole & dove backdoor exclusive Tool
Http://www.cert.org.cn/articles/tools/common/2005051322256.shtml
If no gray pigeon is found in the exclusive tool, please refer to the method below to manually delete it
Follow the instructions below to completely delete the gray pigeon trojan in the system in three steps
1. Download HijackThis Scan System
:
Http://www.skycn.com/soft/15753.html zww3008 Chinese edition
Http://www.merijn.org/files/hijackthis.zip
2. The items in the HijackThis log O23 can be used to find the items in the service.
For example:
O23-Service: SYSTEM $ (SYSTEM $ Server)-Unknown owner-C: \ WINDOWS \ setemy. bat
O23-Service: Network Connections Manager (NetConMan)-Unknown owner-C: \ WINDOWS \ uinstall.exe
O23-Service: winServer-Unknown owner-C: \ WINDOWS \ winserver.exe
O23-Service: Gray_Pigeon_Server (GrayPigeonServer)-Unknown owner-C: \ WINDOWS \ G_Server.exe
Use HijackThis to select O23 and then select "repair item" or "Fix checked"
3. Use Killbox to delete the trojan file corresponding to the gray pigeon. You can download Killbox from here.
Http://yncnc.onlinedown.net/soft/37257.htm
Copy the file path to Killbox and delete it.
Generally, the following file "service name" is determined by HijackThis.
C: \ windows \ service name. dll
C: \ windows \ service name .exe
C: \ windows \ service name. bat
C: \ windows \ service name key. dll
C: \ windows \ Service name_hook. dll
C: \ windows \ Service name_hook2.dll
Example:
C: \ WINDOWS \ setemykey. dll
C: \ WINDOWS \ setemy. dll
C: \ WINDOWS \ setemy.exe
C: \ WINDOWS \ setemy_hook.dll
C: \ WINDOWS \ setemy_hook2.dll
Killbox can be used to delete trojan files. Because the files have hidden attributes, they may not be directly visible, but Killbox can be directly deleted. not all of the above files exist. If Killbox prompts that the file does not exist or has been deleted, it doesn't matter.