How the ghost virus intrude into the system and possible symptoms after infection

Source: Internet
Author: User

Ps: There is an analysis report: http://www.bkjia.com/Article/201003/45760.html

The ghost virus is a rare technical virus in recent years. The virus author has superb programming skills. Due to restrictions of the WinXP system, the MBR may be incorrectly rewritten by the system, which is also an important factor for the close death of viruses in the boot zone. This technology bypasses Winxp's security restrictions and directly modifies MBR technology, which is mainly spread in foreign technical forums. Before the "ghost film" virus, this technology was rarely used by hackers on a large scale. Jinshan security lab engineers said that currently, the ghost film virus is only targeted at WinXP systems and cannot damage Vista and Windows 7 systems.


According to researchers at Kingsoft security lab, there are only a handful of Chinese security vendors and anti-virus experts who can fully analyze the "ghosting" virus. Because the virus is parasitic on the hard disk's Master Boot Record (MBR), the virus-released drivers can destroy most of the security tools and system auxiliary tools. In the case of viruses, it is difficult to use existing tools to clear viruses. Kingsoft security lab is preparing a virus killing tool for ghost shadows.


Kingsoft drug overlord has been upgraded to scan and kill the parent file that carries the "ghosting" virus to prevent more users from suffering the "ghosting" virus. Users only need to upgrade online to obtain the corresponding defense capabilities. Kingsoft network security has added malicious webpages that spread the virus to the blocked access list to prevent more users from downloading this mysterious "Ghost Shadow" virus.


Characteristics of ghost Virus


You do not need to end all anti-virus software on your host.


Once the virus enters the computer, it is hidden outside the system like a demon. It has no files, no system startup items, and no process modules. It is earlier than the system, stops all anti-virus software, downloads avterminator, trojans of account theft, modification of ie homepage, and many other viruses.


Traditional reinstallation systems cannot be cleared.


A common computer virus is an application in a Windows system. It runs only after Windows is loaded. The main code of the Ghost Shadow virus is the Master Boot Record (MBR) That is parasitic on the hard disk. Even if the user reinstalls the system, it cannot be completely cleared. When the system restarts again, the virus is loaded before the operating system kernel. When the virus runs successfully, no exception is found in the process and the system startup add-on, and the virus is like a ghost shadow on a computer that is infected with viruses ". The Ghost Shadow virus is the first virus to be downloaded from the boot area in China. It subverts the characteristics of traditional viruses and users' mindset on virus handling, it not only achieves the "Three none" feature-No file, no system startup Item, no process module, but also enters the user's new system even if the user reinstalls the system.


Security Software Failure: computers become slower


After the "ghosting" virus invades, the driver will be released to rewrite the hard disk MBR (Master Boot Record), and the driver will attack a large number of anti-virus software during the boot process to invalidate the anti-virus software, downloading the traditional avterminator Trojan Downloading is still aimed at stealing users' virtual property by spreading the Trojan horse. After poisoning, the most intuitive phenomenon is that the security software cannot run normally, the computer slows down significantly, and the IE homepage is changed.


Symptoms of computer Infection


1. The computer is very stuck, and the operating procedures are obviously stuck. Common anti-virus software cannot be opened normally, and the problem still cannot be solved after repeated system reinstallation.


2. After the system file is infected with the virus, the system prompts that the corresponding dll cannot be found or the system function is abnormal. Currently, rpcss. dll and ddraw. dll are the system dll that is often modified by Trojan horses.


3. the QQ number is stolen and can be used by hackers to spread advertisements. Game accounts such as Warcraft, DNF, tianlong Babu, and fantasy westward journey are stolen.


The icmd.exe process exists in step 4 and points to an abnormal website.


5. Now ali.exe 6 appears on your computer desktop, and a nasty "Player" shortcut cannot be deleted.


How ghost virus works


The ghost and shadow viruses pretend to be a shared software, deceiving users to download and install the software. After the virus runs, two drivers are released to the user's computer and loaded. The driver modifies the boot zone (mbr) of the system and writes drive B to the disk to ensure that the virus takes precedence over system startup and that the virus files are stored outside the system. After entering the system, the virus is loaded into the memory, but no startup Item is found, no virus file is found, and no process module is found in the process.


After the system is restarted, malicious code in the boot area monitors the entire Startup Process of the windows system. When the system loads the ntldr file, malicious code is inserted, load the drive B that is written to the fifth sector of the boot zone. After driver B is loaded, all process modules in the system will be monitored. If there is a security software process, it will end directly. Drive B downloads the avterminator to the computer and runs it. Avterminator modifies system files, adds a large number of image hijacking to security software processes, and downloads a large number of Trojan horses. Further steal users' virtual property. The virus only targets Winxp systems and cannot damage Vista and Win7 systems.


How to handle ghost Virus


Reload the system, format the C disk, enter the dos status, and run the fdisk/mbr command to clear the virus boot code in the master boot area. Then, reload the system, but this works in full installation, if you use a GHOST to install the system, perform the following steps:


1. Use the GHOST system disk to enter the PQ/PM partition tool. Generally, the GHOST system disk is included.


2. Right-click the drive C and select "advanced" as the function. In this way, the MBR boot layer is rewritten again, so that the virus in the boot layer is eliminated.


3. directly use the GHOST system disk to install the system. [3] How to manually kill in DOS


Step 1: Find the exclusive tool: We recommend using "one-click ghost" here. The DISKRW tool provided by the dostoolbox can be perfectly solved.


Step 2: Remove MBR Virus


1. Clear the hard disk reserved sectors other than MBR. Install or create a "one-click ghost" and start the instance with one click.


GHOST. When the red page appears, Press ESC to return to the main menu. Press the arrow key and select "dostoolbox" --> "DISKRW" --> "3. clear "-->" clear (2) "--> OK. (Note: Try to use version 2010. Earlier versions do not support this function ).


2. Repair MBR (the key step must be done). Then, go to the previous step and select "4. Repair" --> "repair (F)" --> OK. Step 3: reinstall or restore the system. After step 2 is completed, do not restart your computer to enter WINDOWS. Otherwise, the computer will be infected twice. The correct method is to put the system installation CD into the optical drive and reinstall the system. Or if you have a local system backup (of course, a backup that has been made before the virus is not infected), you can also use the "one-click Recovery System" function to recover it.


Step 4: complete anti-virus. After you return to WINDOWS, you need to upgrade your anti-virus software to the latest version (Latest Virus database), and then perform "Full scan" to keep the virus on a non-system disk (such as a drive D, drive E, or drive F) the virus host file is killed to achieve "root removal ".


Use MBRFix in Windows XP with 360 security guard for detection and removal


Step 1: Enable the Task Manager (((nat.exe)


Step 2: Enable 360 security guard and select system repair to repair the system.


Step 3: Download a tool (MBRFix) from the Internet, run CMD in XP to enter DOS mode, run (MBRFix/drive0fixmbr/yes), and then OK


Ghost virus killing tool


One of the characteristics of the Ghost Shadow virus is that the security software cannot run normally. Currently, the total number of Viruses Infected is about 0.3 million. If a netizen finds that the security software installed on his computer is inexplicably unavailable, and common repair tools cannot run normally, please try to use the ghost movie virus exclusive tool released by Kingsoft Security Center to check and fix the virus. Currently, this tool is applicable to ghost and shadow viruses that have not yet been variants. Once this virus variant is used, this virus Spector will be ineffective. Governance reminds everyone to pay attention to network protection. You should enable anti-soft scanning on a regular basis, kingsoft drug overlord has been able to destroy the shadow mother. Analysis on the spread of the Ghost Shadow virus Kingsoft cloud security system analyzed the download frequency of the malware. Combined with the website traffic analysis of the virus, the Daily Download volume of the virus was estimated to be between 2-3 million.


The future of ghosting viruses


The ghost and shadow virus has created a precedent for the compilation of malware in China. It is expected that the source file of the virus will become a hot spot in the black industry chain, in the future, more malware may use the MBR-rootkit Technology of the Ghost Shadow virus to stay on users' computers for a long time. Every epoch of virus will cause headaches for security vendors.


Introduction to the latest Internet cafe ghost and shadow virus


Ghost virus is a virus that is parasitic on the disk Master Boot Record (MBR) and cannot be cleared even if the system is formatted and reinstalled. When the system restarts again, the virus is loaded before the operating system kernel. When the virus runs successfully, no exception is found in the process and the system startup add-on, and the virus is like a ghost shadow on a computer that is infected with viruses"


The following is a list of test-able restores: The driver firewall is not tested. This test is for your reference only.

<1>. Full range of restoration software (including the latest version, which cannot be penetrated when the driver firewall is enabled)

<2>. Fast restore (including the latest version)

<3>. Easy to restore (including the latest version)

<4>. Polar restoration (including the latest version)

<5>. Shell restoration (including the latest version)

<6>. The latest version is available)

<7>. Movie subsystem (including the latest version)

<8>. shengtian restoration (including the latest version)

<9>. Restore the ice (including the latest version)

<10>. Restore wizard (including the latest version)

<11>. Small sentinel recovery card

<12>. triming recovery card

<13>. Founder disk Protector

<14>. 360 restored protection, most of which are dog-proof patches, and all brands of computer companies (such as Lenovo, DELL, SONY, and Samsung ).


Virus feature description


1. After the "ghosting" virus mother runs, two drivers will be released to the user's computer and loaded. Bundled with the parent virus. Other rogue software will modify the desktop shortcut and try to modify the IE attribute. (Analysis: the purpose of virus disseminators may be to transfer the targets of security vendors so that the real mother of the virus can be better hidden)


2. Drive a will modify the system's Master Boot Record (mbr) and write drive B to the disk to ensure that the virus takes precedence over system startup and the virus files are stored outside the system. After entering the system, the virus is loaded into the memory, but no startup Item is found, no virus file is found, and no process module is found in the process. (Ghost and shadow virus is a rare technical virus in recent years. The virus author has superb programming skills. Due to restrictions of the WinXP system, the MBR may be incorrectly rewritten by the system, which is also an important factor for the close death of viruses in the boot zone. This security restriction bypasses Winxp, And the MBR technology is generally referred to as MBR-rootkit, which is mainly spread in foreign technical forums before the ghost virus, this technology is rarely used by hackers .)


3. The virus mother is deleted.

4. After the system is restarted, the malicious code in the Master Boot Record (MBR) will monitor the entire Startup Process of the windows system.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.