Encounter Ifeo Hijack (image hijacking)

Yesterday encountered a computer many EXE can not open, anti-virus software and a lot of normal EXE can not open

Then each disk has a number plus the English hidden EXE and a autorun.inf, even if the deletion will automatically come out, right key disk is normal. Also cannot display all files.

Then found in the C:\Program Files\Common Files\Microsoft Shared\MSInfo see several of the same number and the English EXE, yesterday is 8******.exe, there are DLLs, but also can not be forced to delete. And some EXE will not open for a second to close.

Finally regedit can open, find this file, find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to find a lot, found that some are normal DLLs, there are a lot of EXE, including these can not be used, checked and found that the right some of the normal memory values, and most of the EXE is a debugger, and then the content is pointing to the MSInfo under the file. Then compare yourself to the registry, only less. Found that the key can not run the reason here, so delete all have debugger corresponding to that file of the item, after deletion generally can open the original EXE can not be opened.

Then the 8*****.dll always deleted, think of the way, the result of renaming the suffix removed, the result of the virus does not run easily deleted, and then to each partition to remove the remaining virus files. Restore the right button, and then install jiangmin deleted some of the infected EXE, some file icon also from the blur restored.

If you first remove the virus, open some original EXE will not be able to find the file situation, the same, in the registry delete that item can be.

Online check, the registry this item was not noticed, this time it was found to be this use:

zz~

This entry in the registry is intended primarily for use in debugging programs and is of little significance to the general user. By default, only administrators and local system have permission to read and write, and general user is read-only. When a Windows NT system executes a request from an executable that is invoked from the command line, it first checks to see if it is an executable file and, if so, what format it is, and then checks for the existence of:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\imagename]

If present, an attempt is made to read the key value first:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\imagename]
"Debugger" = "Debug_prog"

If present, execute "Debug_prog imagename".

In our machine, the hint system can not find the file, the so-called found here is actually the "Adamrf.exe", that is because the Adamrf.exe has been deleted by antivirus software. All items containing this key value are deleted and the system is back to normal.

Adamrf.exe is another example of an abnormal procedure.

******************

It turns out it's called image hijacking.

Yyasong said

Ifeo Hijack (image hijacking) This method can make some programs not run

Similar methods can be used to deal with the operation of some virus-aware viruses, and may also be found using Autorun software by viruses.

In fact, said image hijacking, is when the system executes a file, the image hijacked system will automatically jump to another program, and if the image is empty, that is, there is no other program, naturally, it appears above the error prompted, such as:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Exe

"Debugger" = "Abc.exe" under the Cution Options\svchost.exe

It means calling Abc.exe to debug Svchost.exe, the key is that Abc.exe may not be a debugger, so it won't start svchost.exe

Also HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logo_1.exe under the " Debugger "=" Logo_1.exe ", so that when the value of Debugger is equal to itself, is to call itself to debug themselves, the result is not a debugger, and again, recursion, went into the dead cycle, it can not start, so many Sunway immune program is to use this truth.

Example

To deal with the Sunway mutation test.

Registration form:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Ex
ecution OptionsLogo1_.exe]
"Debugger"="egomoo.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Ex
ecution Options
undl132.exe]
"Debugger"="egomoo.exe"
***************************