"Conspiracy" After network disconnection -- killing arp Virus

"Conspiracy" After network disconnection -- killing arp Virus

The concept of arp spoofing has been mentioned many times in previous articles. Simply put, attackers in a LAN send forged packets to routers, to enable sniffing or to disconnect any computer in the LAN. Of course, arp spoofing can not only achieve this, just like the recently rampant arp virus-the legendary killer, which uses arp spoofing to disconnect users and force them to log on to the legendary server again, then, the legendary account information in the packet is sniffed through arp spoofing. Next let's take the "legend killer" as an example to introduce the principle and clearing method of arp virus.

What is arp virus?

Arp viruses can be divided into two categories. One type is purely attack type, that is, making the whole LAN unable to access the Internet. These viruses are frequently used in Internet cafes, therefore, arp is the most headache for Internet cafe owners. There is also a purpose to steal user information, as mentioned above, "The Legend of the Killer ". However, even if the arp virus changes, the principle of its use is arp spoofing, but it adds modules such as automatic propagation and Trojan on the basis of common arp spoofing.
The arp virus is very harmful. Single-host users may not feel it after being infected, but it is a disaster for LAN users. The most obvious phenomenon is that the whole LAN is paralyzed, and all computers in the LAN cannot access the Internet, so users cannot find related solutions through the network. If a trojan is mounted again, the consequences will be quite serious.

Simple Analysis of "legend Killer"

The legendary virus named loadhw.exe generates the npf. sys file in the C:/windows/System32/drivers directory and generates the msitinit. dll file in the C:/windows/System32/directory. Npf. sys is used to send ARP spoofing packets to the driver, that is, arp spoofing. Msitinit. dll is used to control the time when npf. sys sends arp spoofing packets. Loadhw.exe is the culprit in stealing user's legendary account information.

After the virus runs, loadhw.exe is added to the startup Item of the system. What is slightly different from previous viruses is that when the virus modifies the system item, it is modified at the [HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runonce] location in the registry. That is to say, the system automatically runs the virus at startup, then, the created key value is automatically deleted, which increases the concealment of the virus.

Let's talk about the spread of "legend Killer. The legendary killer will pretend to be a Winpcap driver. Those who have read the previous articles should know that Winpcap is the best choice to manage the underlying network. Therefore, many Internet cafes install Winpcap. If you do not carefully, it is likely to be confused by the Winpcap disguised as the "legend Killer. Importantly, although the "legend killer" is a virus, it also has the Winpcap function, but its Virus File NPF. sys replaces the NPF. SYS file in the normal Winpcap. Therefore, when installing Winpcap, it is not surprising that this is a disguised "legend killer.

Figure 1. NPF. SYS file being "transferred"

As for the danger of "legend killer", we have mentioned at the beginning of this article that it is to disconnect all users in the internet cafe and then steal the user's account information when the user logs on to the legend server again. I will not elaborate on the details.

Manual virus removal

The removal of "legend killer" is relatively simple. You can follow these steps.

Step1. Delete the main program loadhw.exe in the C:/Windows/system32/directory.

Step2. Delete the NPF. SYS file in the C:/Windows/system32/DRIVERS directory.

Step3. in the Device Manager, click the View menu, select Show Hidden devices, and double-click to expand the plug-and-play driver ".

Step 4. Find "NetGroup Packet Filter Driver", right-click it, and select "Uninstall ".

Step 5. Delete the msitinit. dll file in the C:/windows/System32/directory.

Step6. run "Registry Editor" to delete the virus service HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Npf.

Figure 2. delete a virus service item

Step7. restart the system.

Simple defense against arp viruses

The method to prevent arp viruses is actually to prevent arp spoofing. The simplest and permanent way is to set the router to bind the MAC address and IP address of the computer Nic in the LAN. You can also use ARP spoofing prevention tools such as "Anti arp Sniffer". These tools are easy to use. click the button to automatically prevent arp spoofing. I believe that smart readers can do it easily.

Figure 3. Anti ARP Sniffer