Pigeon (Backdoor. huigezi) the author has not stopped the development of the gray pigeon. In addition, some people intentionally add different shells to the gray pigeon to avoid anti-virus software detection and removal, as a result, new gray pigeon variants are constantly emerging on the Internet. Although rising has been spared no effort to collect the latest gray pigeon samples, due to the wide variety of variants, there will be some "fish out of the Internet ". If your machine has symptoms of gray pigeon but cannot be found using the Rising antivirus software, it is probably a new variant that has not been intercepted. In this case, you need to manually kill the pigeon.
It is not difficult to manually clear the gray pigeon. What is important is that we must understand its operating principles.
Running principle of gray pigeon
The gray pigeon Trojan is divided into two parts: the client and the server. Hackers manipulate the client and use the client configuration to generate a server program. The service end file is named g_server.exe, and then hackers spread the Trojan (commonly known as a Trojan or a backdoor) through various channels ). There are many ways to use Trojans. For example, a hacker can bind the Trojan to an image and impersonate a shy MM to send the Trojan to you through QQ to trick you into running the Trojan; you can also create personal webpages to trick you into clicking and use the IE vulnerability to download Trojans to your machine and run them. You can also upload files to a software download site, impersonate an interesting software to trick users into downloading ......
G_Server.exe copy itself to the Windows directory after running (98/xp is the windows directory of the system disk, 2 k/NT is the Winnt directory of the System Disk ), then release G_Server.dll and G_Server_Hook.dll from the body to the windows directory. G_Server.exe, G_Server.dll, and G_Server_Hook.dll are combined to form the gray pigeon server. Some gray pigeons release a file named G_ServerKey.dll to record keyboard operations. Examples, A. dll, and A_Hook.dll.
The g_server.exe file in the Windows directory registers itself as a service (the 9X system writes the Registry Startup item), and runs automatically every time it is started. After running, start G_Server.dll and G_Server_Hook.dll and exit automatically. The G_Server.dll file implements the backdoor function and communicates with the control client. G_Server_Hook.dll hides viruses by blocking API calls. Therefore, after virus poisoning, we cannot see the virus file or the service items registered with the virus. With the different settings of the gray Pigeon Service end file, g_server_hook.dllsometimes comes in the process space of assumer.exe, and sometimes is attached to all processes.
Manual inspection of gray pigeon
Because the gray pigeon intercepts API calls, the trojan file and its registered service items are hidden in normal mode, that is, even if you set "show all hidden files", you cannot see them. In addition, the file names on the gray pigeon server can be customized, which makes manual detection difficult.
However, after careful observation, we found that the detection of gray pigeons is still regular. According to the operating principle analysis, no matter what the custom Server File name is, a file ending with "_ hook. dll" is usually generated under the installation directory of the operating system. Through this, we can more accurately and manually detect the gray pigeon Trojan.
In normal mode, the gray pigeon will hide itself, so the operation to detect the gray pigeon must be performed in safe mode. To enter safe mode, start the computer and press F8 before the system enters the Windows Startup screen (or press Ctrl when the computer is started ), select "Safe Mode" or "Safe Mode" from the menu that appears ".
1. Because the gray pigeon file has hidden properties, you must set Windows to display all files. Open "my computer", select "Tools"> "Folder Options", and click "View" to cancel the check before "Hide protected operating system files, select "show all files and folders" in "hide files and folders" and click "OK ".
2. Open "search file" in Windows and enter "_ hook" in the file name. dll, and select the Windows Installation Directory (default 98/xp is C: \ windows, 2 k/NT is C: \ Winnt ).
3. After searching, we found a file named Game_Hook.dll in the Windows directory (excluding subdirectories.
Secret and Game. dll files. Open the Windows directory, and there are these two files, and a GameKey. dll file used to record keyboard operations.
After these steps, we can basically confirm that these files are gray pigeon Trojans, And we can manually clear them below. In addition, if you find the gray pigeon variant not found by Rising antivirus software, also welcome to the rising new virus reporting site (http://up.rising.com.cn) Upload samples.
Manual removal of gray pigeon
After the above analysis, it is easy to clear the pigeon. To clear the gray pigeon program files, you still need to operate in safe mode. There are two main steps: 1. Clear the service of the gray pigeon; 2. Delete the program files of the gray pigeon.
Note: To prevent misoperation, make sure to back up the data before clearing it.
I. Service for clearing gray pigeons
2000/XP system:
1. Open the Registration Table Editor (click "Start time", click "run", and enter "regedit.exe", OK .), Open the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services registry key.
2. Click the Navigation Pane to edit "audio-extract", click "search target", and enter "“game.exe". Click "OK" to find the service items (in this example, Game_Server ).
3. Delete the entire Game_Server item.
98/me system:
In 9X, there is only one startup item for the gray pigeon, so clearing is easier. Run the Registry Editor and open the HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runitem. You can delete the game.exe item immediately after you see the item named game.exe.
Ii. Delete the gray pigeon program file
Deleting a program file is very simple. You can only delete the game.exe, Game. dll, Game_Hook.dll, and Gamekey. dll files in the Windows directory in a security mode, and then restart the computer. So far, the gray pigeon has been cleared.
C # knowledge Hall |
C # technical Park |
C #. NET blog |