Virus Trojan scan: manual scan of QQ Trojan Horse stealing

Virus Trojan scan: manual scan of QQ Trojan Horse stealing
I. Preface

In previous articles "virus Trojan scan and removal 002nd: manually killing pandatv incense", I basically detected and killed the "pandatv incense" virus without using any tools. After all, "pandatv incense" is a relatively simple virus, and it does not adopt some particularly powerful self-protection technologies, so we can completely solve it by hand. However, the research on malware is not that simple. It adopts process protection technology, so that we cannot use conventional methods to scan and kill it. So this time I introduced two tools, icesword and autoruns, to achieve the purpose of killing.

Ii. Basic information about viruses

This study is a QQ account stealing trojan program. To avoid unnecessary troubles, I still do not provide a virus sample here. The basic information is as follows:

File Name: OSO.exe

MD5: 0a2ba47887c20abbb42d0a1dd436d9b4

Sha-1: f2164baba4634eddc7f2f69acf4a1e6225624786

File Size: 95KB

The virus samples found on the Internet may be different from mine, but they are basically the same. The core idea of virus detection and removal is the same. In this article, I will give you as detailed as possible, so that you can get a lot from reading this article.

Here, I copy the virus sample and icesword and autoruns to the previously configured Virtual Machine (Be sure to back up the data ),:

Figure 1 configure the experiment environment

Iii. virus detection and removal

Check the task manager before running the virus:

 

Figure 2 task manager before virus running

 

As shown in figure 2, there are 19 processes in the system before the virus runs. Now let's run the virus program and check the task manager:

Figure 3 Task Manager after virus running

. Of course, these three processes should be listed as key suspect objects. Description: conime.exe is an important system process. It does not start automatically as the system starts. It only starts when the command line (cmd) is started, however, deletion or termination may lead to difficulties in Inputting special texts. In addition, this process will not run in the new Microsoft system. Here, our virus spoofs this process.

Try to close these three processes directly in the task manager. Right-click the first severe.exe, select "End process" (or "End Process Tree"), and select "OK" in the displayed dialog box ". At this point, the process can indeed be closed, but it will soon run automatically. Obviously, these three virus processes are mutually protected, and one of them is disabled. As the other two still exist, they cannot be closed, thus realizing process protection. It is precisely because of this problem that conventional methods no longer work, so it is necessary to use professional detection and removal tools. Here I use icesword.

However, the problem arises again. Double-click the icesword program that has been copied to the desktop and it has not been started yet. So we can think that the virus is blocking this program. After all, this software is too famous, so a slightly self-protected virus program will block this software, the simplest method of blocking is through the file name. In this case, change your icesword.exe.zip to .exe:

Figure 4 rename icesword.exe and open it again

It can be seen that it can be opened normally now. Use the ice blade to view the current process:

Figure 5 view the current process using the "ice blade"

The process icon also shows that there are currently three suspicious processes (not the "Notepad" program, but the "Notepad" program icon is used ). We can also clearly see the path of the virus file. To delete these three processes at the same time, click "file" in the "ice blade" menu bar, select "create process rule", and select "add rule" in the pop-up dialog box ". In the "add process rule" dialog box that appears, select "forbidden" for "action". In "sub-process", select "file name, enter the process names of the three virus programs, and click OK ":

 

Figure 6 Add process rules

After the three process names are added to the process rules, we can successfully end the three processes in the "ice blade. Next, we need to delete the startup Item of the virus. Here we open the autoruns software:

Figure 7 use autoruns to view startup items

Under the "Everything" tab of the initial interface, two suspicious startup items are easily discovered because they are used as executable programs and the "Notepad" icon is used, neither "Description" nor "Publisher ". Of course, even if these two items exist, they may also be viruses. In addition, the generation time of the two startup items is relatively new, so it is necessary to delete these two startup items here. Select the startup item to be deleted and press the "Delete" key. Next, let's take a look at the very important "Image Hijacks" tag:

Figure 8 view image hijacking

I have discussed image hijacking in previous articles (For details, refer to anti-virus Attack and Defense study article 002nd: Ghost program. This explains why "ice blade" cannot be started before. The virus also hijacked mainstream antivirus software and other programs. Here we can also use the "Delete" key to Delete these hijacks. Of course, you can also view the content under tabs such as "Winlogon" and "Scheduled Tasks" to scan and kill more comprehensively. Because it is not important, we will not discuss it here.

The final task is to delete the virus body. It is basically the same as the previous manual detection and removal of "pandatv.

Iv. Summary

In fact, this virus has many hidden items, because it is not the focus, so it will not be discussed too much. This article mainly explains the basic usage of icesword and autoruns in virus detection and removal. I hope you can master them. After all, they are all powerful tools for manual virus detection and removal.