IRC backdoor virus and manual removal method _ security related

At the beginning of 2004, IRC backdoor virus began to appear on the global network on a large scale. On the one hand, there is a potential risk of leaking local information, on the other hand, the virus appears in the local area network congestion, affecting the normal work, resulting in losses.

At the same time, because the source of the virus is open, anyone to get the source code after a little modification can be compiled to create a new virus, plus different shells, resulting in a large number of IRC back door virus mutation emerged. There are also a number of viruses after each run will be deformed, to the virus to bring great difficulties. This article first introduces the IRC backdoor virus from the technical point of view, then introduces its manual removal method.

I. Technical reports

IRC virus set hacker, worm, backdoor function in one, through the LAN share directory and system vulnerabilities to spread. The virus comes with a simple password dictionary, and a user who does not set a password or password is too simple can make the system vulnerable to viruses.

The virus will copy itself to the system directory (Win 2k/nt/xp OS for system disk System32,win9x system), file attributes hidden, name indeterminate, here is assumed to be xxx.exe, there are generally no icons. The virus writes the registry startup entry at the same time, and the item name is indeterminate, assuming yyy. Unlike viruses, written startup items are not the same, but they certainly contain this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\run\yyy:xxx.exe
Other items that may be written are:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\run\ Yyy:xxx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\runservices\ Yyy:xxx.exe
A few will write the following two items:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\runonce\yyy:xxx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\runonce\yyy:xxx.exe
In addition, some IRC viruses will register themselves as service launches under 2K/NT/XP.

The virus automatically attempts to connect to specific IRC server channels at certain times to prepare for hacker control. Hackers only need to send different instructions in the chat room, the virus will perform different operations locally, and the local system return information sent back to the chat room, resulting in user information leakage. This backdoor control mechanism is relatively novel, instant users are aware of the loss, it is very difficult to trace the hacker.

The virus scans the current and adjacent segments of the machine and guesses the login password. This process will occupy a large number of network bandwidth resources, easy to cause LAN congestion, many domestic business users have been affected.

For the purpose of protecting computers controlled by IRC viruses, some IRC viruses will cancel anonymous login and DCOM functionality. Canceling an anonymous login prevents other viruses from guessing that the password infects itself, and disabling DCOM enables the system to be protected from other viruses that are spread by exploiting RPC vulnerabilities.

Two, manual removal method

All IRC backdoor viruses add their own startup entries under Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and the item values are only file names, no paths, This gives us a clue to the trail. We can safely clear out the IRC virus by following steps.

1, open Registry Editor, navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run item, find the project of suspicious files.

2. Open Task Manager (press Alt+ctrl+del or right-click in the taskbar, select Task Manager), and locate and end the process corresponding to the registry file entry. If the process cannot end, you can switch to Safe mode for operation. Enter Safe Mode by starting your computer, pressing the F8 key (or holding down the CTRL key while you start the computer) before the system enters the Windows splash screen, and selecting "Safe Mode" or "safe modes" in the Startup options menu that appears.

3. Then open "My Computer", select "Folder Options" under the Tools menu, select "Show All Files" and click "OK". Then go into the system folder, find the suspect file and transfer it or delete, to this step of the virus even clear.

4, the final can manually remove the registration table virus Startup Items can also be used to remove the Registry Repair tool.

If you found the rising anti-virus software can not find the IRC virus, but also welcomed the landing of the new virus reported the site http://up.rising.com.cn upload samples.

III. Security Recommendations

1. Establish good safety habits
Do not easily open a number of dubious messages and their attachments, do not easily log on to unfamiliar websites. Files downloaded from the Internet should be checked before running.

2. Turn off or remove unwanted services from the system
By default, the operating system installs some ancillary services, such as FTP clients, Telnet, and the WEB server. These services are convenient for attackers and are not useful to most users. Removing them can greatly reduce the likelihood of being attacked.

3. Frequently upgrade security patches
According to statistics, most network viruses are transmitted through the system and IE security vulnerabilities, such as: Shock wave, shock waves, SCO bombs ac/ad and other viruses. If the machine has a loophole, it is likely to cause repeated virus infection, can not clear clean. So be sure to log on regularly to the Microsoft Upgrade website http://windowsupdate.microsoft.com) To download and install the latest security patches. At the same time can also use the rising antivirus software with the "Rising vulnerability Scan" regularly check the system.

4. Set up a complex password
There are many network viruses that attack the system by guessing simple passwords. Therefore, the setting of complex passwords (combination of uppercase and lowercase letters, numbers, special symbols, more than 8 digits) will greatly improve the safety factor of the computer and reduce the probability of being attacked by the virus.

5. Rapid isolation of infected computers
When your computer discovers a virus or unusual condition, cut off the network connection immediately to prevent the computer from being more severely infected or damaged, or to become infected with other computers as a source of communication.

6. Often know some anti-virus information
Always log on to the official homepage of the information security manufacturer to get the latest information. This allows you to discover new viruses in a timely manner and to handle them in a timely and accurate manner when a computer is infected with a virus. For example, understanding some of the registry knowledge, you can periodically see whether the registry from the startup item has a suspicious key value, understand some of the program process knowledge, you can see if there are suspicious programs in memory.

7. It is best to install a professional anti-virus software for overall monitoring
With the rapid progress of virus technology today, the use of professional anti-virus software to protect the computer is still the best choice to ensure information security. After users have installed anti-virus software, it is necessary to turn on real-time monitoring features and often upgrade to prevent the latest viruses, so as to truly ensure the security of the computer.