Analysis and deletion of virus recruitment by express network companies

Author: Fresh sunshine (http://hi.baidu.com/newcenturysun)
Date: 2007/10/06 (reprinted please keep this statement)
People with security awareness may use anti-virus software to scan the compressed package. If you are lucky enough to report an alert to antivirus software, you will be able to escape the attack. But what if your antivirus software does not report an alert? You may continue to decompress the package. Run the exe file!
After running the exe file, you have to "congratulations! Because you have successfully completed the trap set by the hacker. It's your curiosity and weak security awareness that let you step into this "trap "!
Now let's take a look at what a hacker sets as a "trap"
File: tutorial. Exe
Size: 33063 bytes
MD5: 2cbef55713cad85ec3937bf718a069
SHA1: 972D2364D5C87BBB9381FA9738D10F937BD92A31
CRC32: DD8114DD
This is a trojan program that steals the QQ account number. After tutorial .exe runs, the following files are released:
% Program Files % Internet assumerpluginssyswin74.jmp
% Program Files % Internet assumerpluginswinsys84.sys
% Program Files % Internet assumerinfo_ms.sys
E: autorun.exe
E: autorun. inf
Add the following key values to enable automatic startup.
[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks]
<{1AB09B3F-A6D0-4B55-B87D-264934EBEAED}> <% Program Files % Internet assumerpluginswinsys84.sys> []
<{0F7A277A-4B2A-4673-8CC0-957C72ECFC6E}> <% Program Files % Internet assumerinfo_ms.sys> []
% Program Files % Internet assumerpluginswinsys84.sys
The Explorer process is injected, and the global hook monitoring QQ login window is set. When a user logs on to QQ, he injects himself into QQ to steal the password.
% Program Files % Internet assumerinfo_ms.sys will connect to the network and accept the message content sent by QQ tail
Later, winsys84.syswill also control assumer.exe to download the Trojan Horse group.
The following sreng logs are generated after the trojan group is downloaded:
[Hkey_local_machinesoftwaremicrosoftwindowscurrentversionpolicershellexecutehooks]
<{1AB09B3F-A6D0-4B55-B87D-264934EBEAED}> <% Program Files % Internet assumerpluginswinsys84.sys> []
<{E3F426F6-8634-42A5-A29E-BC694A88FB7D}> <C: WINDOWSsystem32xyupri0. dll> []
<{2598FF45-DA60-F48A-BC43-10AC47853D52}> <C: WINDOWSsystem32arjbpi. dll> []
<{A393C2CF-1C26-4309-9765-13B7FDC0F200}> <C: WINDOWSsystem32mypern0. dll> []
<{2960356A-458E-DE24-BD50-268F589A56A2}> <C: WINDOWSsystem32avwlbmn. dll> []
<{334345F1-DACF-3452-CB7D-4620F34A1533}> <C: WINDOWSsystem32sztcpm. dll> []
<{57D81718-1314-5200-2597-587901018075}> <C: WINDOWSsystem32kaqhezy. dll> []
<{3c87a354-abc3-de-ff33-3213fd7447c3}> <C: WINDOWSsystem32kvdxcma. dll> []
<{66650011-3344-6688-4899-345FABCD1566}> <C: WINDOWSsystem32atbfpi. dll> []
<{4859245F-345D-BC13-AC4F-145D47DA34F4}> <C: WINDOWSsystem32avzxdmn. dll> []
<{18847374-8323-FADC-B443-4732ABCD3781}> <C: WINDOWSsystem32sidjazy. dll> []
<{28907901-1416-3389-9981-372178569982}> <C: WINDOWSsystem32kawdbzy. dll> []
<{0F7A277A-4B2A-4673-8CC0-957C72ECFC6E}> <% Program Files % Internet assumerinfo_ms.sys> []
<{444D7AB0-639D-445F-9143-3B3FFB2A7F39}> <C: WINDOWSsystem32dh3vpw0. dll> []
...

Solution:
1. Delete in Security Mode
% Program Files % Internet assumerpluginssyswin74.jmp
% Program Files % Internet assumerpluginswinsys84.sys
% Program Files % Internet assumerinfo_ms.sys
E: autorun.exe
E: autorun. inf
Use sreng to delete the corresponding startup project
2. C: WINDOWSsystem32xyupri0. dll and other Trojans can be cleared by referring to the preceding Method for clearing random 7-digit dll Trojans.

From the above analysis, we can see that the hacking methods of hackers are endless, and they have begun to use social engineering techniques to gain people's trust and let you step by step into the traps he has carefully set. This reminds the majority of users to pay attention to the following points when using instant messaging tools for communication:
1. be sure to enhance security awareness, and do not trust any form of advertising, karaoke, job seeking, invitations, or other information, especially when some links or download information appear in this information.
2. Do not accept files that others give you easily. Even files that your friends give you should be clear and accept them again. For accepted files, you must use anti-virus software for antivirus purposes. If the accepted files are exe, scr, and other executable files, pay more attention to them. It is better not to run such executable files easily.
Finally, we hope that everyone will always be vigilant, control their curiosity, improve their security awareness, and avoid unknown risks on the Internet as much as possible.