Analysis of various types of malicious Web page countermeasures-Registry Use the full strategy of seven
Internet use of IE, such as the loophole can completely let you through the Web page to make your computer unrecognizable, or lattice disk, or even the next Trojan, spread the virus, and this form of transmission intensified, gossip less said, now to analyze the various types of malicious Web pages.
Before analyzing the registry to modify the method, because the registry in the Web virus is the backbone, is through it to make your computer beyond recognition.
The first method: the direct modification of the method
is to typing regedit in the run, and then to edit, this is the way you usually modify the registry.
The second method: Reg Package Import method
Now take the example of unlocking the registry (in fact, it's better and more convenient to unlock tools such as rabbits, just to show you how to create a reg package)
For win 9x/me/nt 4.0来 said, in Notepad to save the following content as a *.reg file, import can
REGEDIT4
There must be a blank line, otherwise the modification will fail
[Hkey_local_machine\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools" =dword:00000000
For Win 2000 or XP, change REGEDIT4 to Windows Registry Editor Version 5.00
The third method: INF installation method
For 98/me, save the following as an. inf suffix file, right-click to select the file to install
[Version]
Signature= "$CHICAGO $"
[DefaultInstall]
Addreg=unlock. ADD. Reg
Delreg=unlock. Del. Reg
[Unlock. ADD. REG]
Hkcu,software\microsoft\windows\currentversion\policies\system
[Unlock. Del. REG]
Hkcu,software\microsoft\windows\currentversion\policies\system
If 2000 or XP, modify Chicago to Windows NT
As for other changes in the format, here is not much to say, you can look for information, really will not build other INF package can contact me:
Fourth method: VBS scripting method
Save the following content as a. vbs suffix file
Dim unlock
Set unlock = WScript.CreateObject ("Wscript.Shell")
Unlock. Popup "will unlock the registry for You"
Unlock. RegWrite "Hkcu\software\microsoft\windows\currentversion\policies\system\disableregistrytools", 0, "REG_DWORD"
The fifth method: Hehe, is the method of an in-kind manner, does not introduce here
As for editing the registry in DOS, here's no longer an example
Please remember that the registry must be backed up before modifying the registry!! Remember!!
Know the way, now to analyze all kinds of malicious web sites and deal with the policy
Malicious Web sites can be grouped into the following categories:
A text vulnerability using IE to modify the registry behavior by editing a scripting program
1. Minor modifications to the registry: such as Title block, default home page, search page, add ads, and so on, first look at a section of the original code
A.setclsid ("{f935dc22-1cf0-11d0-adb9-00c04fd58a0b}"); The malicious Web page modifies the registry through this ID.
Shl.regwrite ("hkcu\\software\\microsoft\\windows\\currentversion\\ policies\\explorer\\norun", "REG_BINARY") ); This code will let your running menu disappear.
Purge method:
This article is not available to the General modified browser solution, because now online on how to repair the registry to recover a lot of articles, you can find their own to see
I think this kind of modification can generally be repaired by the Registry Repair tool, without having to manually modify it.
Common tools are: Super Rabbit Magic, Optimization master, 3721 Magic Gems, antivirus king with the IE repair device, etc.
Rising Registry Repair Tool: Http://it.rising.com.cn/newSite/Channels/anti_virus/Antivirus_Base/TopicExplorerPagePackage/spite Ful.htm
Poison PA's Registry Repair tool: Http://sh.duba.net/download/other/tool_011027_RegSolve.htm
Recommend a good online repair site: www.j3j4.com
Patch: WINDOWS 2000:http://www.microsoft.com/china/windows2000/sp2.htm
WINDOWS 9X Users: http://www.microsoft.com/downloads/release.asp?ReleaseID=32558
2. Modify the registry to prohibit the modification of the command form, in order to not allow the user to repair the return through the registry.
The most common modification is to lock the registry and destroy the association: for example, Reg,.vbs,.inf.
With regard to unlocking the registry, the method has been introduced earlier, and as for the modified association, as long as the association in the method of the registry modification that I mentioned earlier can be used, any one of them may be used, but if. Reg,.vbs,.inf have been modified, how to do? , do not be afraid, change the. exe suffix to. com suffix, I can edit the registry,. com has also been changed, how to do? Not so ruthless, yes, I'll change the suffix to. scr. Hey, the same can be modified.
The best of the simplest way, immediately reboot, press F8 into DOS, typing scanreg/restore, select the normal time before the registry restore can be, attention, must choose not to be modified when the registration form! If found even scanreg have been deleted (some sites are so ruthless, with a disk copy a Scanreg.exe to Comman under the
It's necessary to talk about the default values for common file associations
Normal EXE is associated with [HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command]
The default key value is: "%1%*" Change this association back to use EXE file
3. Modify the registry to leave the back door, so that you modify the registry appears to be successful, reboot and revert to the modified state.
This is mainly in the boot to leave a back door, you can open the registry to (also can use some tools such as optimization master, etc. to see)
Hkcu\software\microsoft\windows\currentversion\run
Hkcu\software\microsoft\windows\currentversion\runonce
Hkcu\software\microsoft\windows\currentversion\runservices
hkcu\software\microsoft\windows\currentversionrun-
See if there are any suspicious startup items, this point most friends ignore, which start suspicious?
I'm here to give you a few people who need attention, the key value appears in the Startup key. Hml and. htm suffixes are best removed, and there are also the boot entries for the. vbs suffix removed, and another important, if there is this startup item, there are similar key values, such as:
The System Key value is regedit-s c:\windows ... Please note that this regedit-s is a backdoor parameter of the registry that is used to import the registry, so that the option must be removed
There is also a type of modification that produces a file with a. vbs suffix in c:\windows\, or a. dll file, which is actually a. reg file
At this time you want to look at the C:\Windows\Win.ini file, look at the load=,run=, these two options should be empty, if there are other programs to modify load=,run=, will = after the program to delete, delete before the path and file name, Delete the corresponding file under system after deletion
There is also a way, if you repeatedly modify the restart and return, you can search all the. vbs files under C disk, there may be hidden, open with Notepad, see inside there are about to modify the registry to remove it or insurance to change the suffix, you can click on the malicious page of the virus time to search for files:
The following loophole is well worth noting, many friends said, you said the method I have tried, the launch item absolutely does not have any suspicious, also does not have what VBS file, hehe, everybody in started IE also has a trap, is IE main interface tool's menu advertisement, must remove, Because these will start when you start IE, so you modify the other first do not worry to open IE window, otherwise wasted effort, method: Open Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ extensions see the ad, cut it out.
A very important problem, in the malicious Web site after the trap must first empty IE all temporary files, remember!
So much nonsense, how to defend against such malicious Web pages?
Once and for all, remove the f935dc22-1cf0-11d0-adb9-00c04fd58a0b ID.
The path to the registry is hkey_classes_root\clsid\{f935dc22-1cf0-11d0-adb9-00c04fd58a0b}
Remember, see clearly and then delete, do not delete the wrong other. The deletion of this f935dc22-1cf0-11d0-adb9-00c04fd58a0b will not affect the system.
Select "Tools" → "Internet options" in the IE menu bar. In the pop-up dialog box, switch to the "Security" tab, select "Internet" and click the "Custom Level" button, in the "Security Settings" dialog box, the "ActiveX controls and Plug-ins", "script" Select Disable or prompt for all related options in. However, if disabled is selected, some Web sites that use ActiveX and scripts normally may not be fully displayed. Recommended selection: Prompt. When you encounter a warning, look at the original code of the site, if found that there are shl.regwrite, such as code, do not go, if the original code is encrypted, not familiar with the site also do not go, if the right key can not be used, but also to be careful for the good (see what the original code is called Ah, Unless there is any good Java or malicious code.
For WINDOWS98 users, please open C:\WINDOWS\JAVA\Packages\CVLV1NBB. ZIP, remove the "Activexcomponent.class", and for windowsme users, open C:\WINDOWS\JAVA\Packages\5NZVFPF1. ZIP, delete the "activexcomponent.class" and delete it without affecting the normal browsing page
In Windows 2000/xp, you can block some malicious scripts by disabling the Remote Registry service. In the control Panel → administrative tools → services, right-click Remote Registry Service, select Properties in the pop-up menu, open the Properties dialog box, and set "Startup ype" in "General" to "Disabled" ”。 This can also block some malicious scripting programs.
Hey, don't use IE. You can also use other browsers ...
Everyone in the malicious Web site after the trap, do not immediately restart the computer, to start to see if there are any dangerous startup items, as deltree and so on
Two uses IE flaw to destroy Windows system directly
Now using browsing the Web to format the hard drive is nothing new, when one day, you suddenly jump out of the internet warning that the current page contains unsafe pages, if you choose "Yes", it is likely that the hard drive is formatted
Take a look at some of its original code:
WSH (...)
To defend this type of Web page, you can use the following methods:
Delete f935dc22-1cf0-11d0-adb9-00c04fd58a0b This ID, because this ID can be used to generate the command format, you can execute the hard disk executable, the specific path
HKEY_CLASSES_ROOT\CLSID\{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B} Remind again, don't delete wrong.
It is recommended that you change the deltree.com and Format.com commands, such as using the Master of optimization to Deltree.wom and Format.wom
It is also a way to rename the Wscript.exe under Windows C.
You can also uninstall WSH:
98/me: Go to Control Panel, select Add/Remove Programs, choose Windows Installer, select Accessories, and then select Windows Scripting Host in details to determine the uninstall.
To disable WSH in Windows 2000, double-click the My Computer icon, and then follow the Tools/Folder Options command, and select
File Type tab, locate the VBS VBScript Script file option and click the Delete button, and then click OK
or upgrade WSH to WSH 5. 6
IE browsers can be modified by malicious scripts because IE 5.5 and previous versions of WSH allow attackers to use the GetObject function in JavaScript and HTMLFILR ActiveX objects to read the browser's registry. Microsoft's latest Microsoft Windows Script 5.6 has fixed this issue.
WSH 5.6 for WIN9X/NT official download: www.microsoft.com
WSH 5.6 for Win2000 official download: http://www.microsoft.com/devonly/
Three security vulnerabilities issues
The registry now allows you to generate files on your hard disk, and you can read the registry
The use of IE vulnerabilities can spread the virus, the current browsing Web can infect new happy time and other script viruses, many are intrusion through IE vulnerabilities, and the current problem of the Web Trojan, in fact, is also the use of IE's MIME head error loophole, so that users automatically run Trojan horse program, this kind of program making easy, very easy to spread, This class of MIME header error Countermeasures: Patch or upgrade http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp
1. Look at a vulnerability in IE 5.0: You can write a bad HTML code so that your IE is off, the code here is inconvenient to post.
Let's take a look at this id:0d43fe01-f093-11cf-8940-00a0c9054228 is used to generate files
2. IE now has a ifrme vulnerability, which allows IE to automatically execute an. exe file after browsing the page.
Defensive countermeasures: It is best to upgrade IE to SP2 on ", or install patch Q290108 (thank you fluttering the owner points out here the error), if you really do not want to use the high version of IE, afraid of occupying resources, you must remember to put the patch. Because at present many viruses are using IE and oe this loophole to spread, love forest virus is one of them.
and delete hkey_classes_root\clsid\{0d43fe01-f093-11cf-8940-00a0c9054228} this ID
3. In the IE6 (build 2600) version, you can use a section of JavaScript scripting code to make IE denial of service, 98 can cause IE's unresponsive, when trying to terminate the task, will cause the operating system crashes, 2000 can cause 50% CPU to be used for a long time, The browser then asks if you want to use it.
Defensive countermeasures: The Java and script banned, the proposal is to upgrade IE or patch (it seems not to be patched is not possible)
4. The framework (frame) vulnerability in IE, IE 5.01,5.5.6.0 are affected, using this vulnerability can reveal the user's information.
Countermeasures: Patching: Http://www.microsoft.com/Windowsupdate
Http://www.microsoft.com/technet/security/bulletin/MS02-009.asp
Get control permissions This kind of Black hand will take advantage of IE to perform actives, although IE provides the ability to prompt for "Download signed ActiveX controls", but the malicious attack code bypasses IE, downloading and executing ActiveX control programs without prompting, A malicious attacker would then gain control over the system. If you want to block this kind of black hand, you can open Registry Editor, and then expand the following branch:
The workaround is to have the active Setup under the registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX compatibility\ Controls creates a new key value {6e449683_c509_11cf_aafa_00aa00 b6015c} based on the CLSID, and then creates a REG_DWORD-type key compatibility under the new key value. and set the key value of 0x00000400 can be.
Four boring malicious web pages
This type of Web page is used to write JavaScript code, such as pop-up countless closed windows, can only let the CPU resources exhausted restart, to tell the truth, now the domestic anti-virus software web monitoring of such malicious Web page is not able to intercept (foreign I have not tried)
This kind of Web page writing is not difficult, all by writing some dead loops to achieve the goal.
Defense method: Disable java. Upgrade IE to high version
There is the use of WIN98 loopholes to let you fall or panic, defensive countermeasures, to 98 desperately dozen patches (do not use 98, 2000 stability)
When you surf the Internet, remember to turn on the Web site monitoring or registry monitoring to open, now the domestic anti-virus software to write the behavior of the registry to intercept the success rate are good
Through the above analysis can be seen a very important problem: must always give their own system to play patches, Microsoft general out of the patch, soon have a new virus code to attack, so remember to always play patches!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.