Document directory
- First, let's talk about how to completely remove the spyware and execute the following command:
Mac OS X: Continue> Security Warning. The virus is around you.
This is a heavy mood! This spyware is in contact with us again in China! I think that goolge told China not to do evil and accused China of what they were doing in the past few days. The result is that the foreign bosses think that the Chinese people will do the virus, they will steal their private information through Trojans, there are dedicated hacker schools, and even think that the virus is made in China. What does this mean? It means that the Chinese are in their eyes. because most of them are crude people, their brains are straight, and listening to the wind is rain. In addition, the dung plot is very heavy and it is useless to explain anything to them. On the one hand, they absolutely trust their own media, on the one hand, we need to find a way to vent our usual dissatisfaction. Unfortunately, Chinese people have become another target of their venting.
This is not much to say. Back to this question, the reason is: we have a connection with China, that is, I don't want to draw conclusions, although the following technical analysis is indeed related to a server in Hangzhou, I would rather believe that it is a zombie than actually pointing directly to my own server. This is undoubtedly silly and self-built. If it is really a zombie, you really need to pay more attention to computer and network security, and enhance the awareness and measures of prevention, otherwise it will become a fool who has been sold and paid for others. Chinese people are not stupid. Some may be tempted by money in front of them, so they sell themselves. I said, I will sell myself for a good price next time. I don't have to worry about it for at least two years, okay ?!
2. Technology
The above are all emotions. If you don't want to listen to technologies, please start from here:
First, let's talk about how to completely remove the spyware and execute the following command:
Sudo launchctl unload-W/library/launchdaemons/premieropinion. plist <br/> sudo RM/private/tmp/poinstaller <br/> sudo RM/private/tmp/script. sh <br/> sudo Rm-RF/private/tmp/installtmp <br/> sudo Rm-RF/private/tmp/autoupgrade <br/> sudo Rm-RF/private/ TMP/tapinstaller <br/> sudo Rm-RF/applications/premieropinion <br/> sudo RM/private/var/DB /. accessibilityapienabled
Below
How to find the sources
Downloading mishinc FLV to MP3 converter is A. jar file. After unpack is installed, there is an agreement that the terms page contains the Premier * opinion. Once you agree, it will generate the following two files:/private/tmp
:Script. SH and an executable file
Poinstaller: Once you connect to the Internet, it will download two directories
installtmp
AndTapinstaller. Each directory stores the same content.
PremierOpinion
,installtmp
There is a file of different sizesPoinstaller and
Tapinstaller, including
Upgrade. xml file, which points to the server
Post.securestudies.com
Of
Rule14.xml
File, and this file points
Premieropinion.zip
File. This is the download of the latest spyware.
If you carefully check the poinstaller, it also includes this websiteIt.kingroutecn.com, which is also a rule14.xml file, points to another
Permissionresearch. Regardless
Permission Research
Or
Premier
Opinion
, All in
ComScore
Within the company's address range, and is the same company. This can be confirmed through whois as follows:
Registrant: <br/> tmrg, Inc. <br/> 11950 democracy dr. <br/> suite 600 <br/> Reston, VA 20190 <br/> us <br/> Domain Name: securestudies. com <br/> Administrative contact, technical contact: <br/> administrator, domain <br/> tmrg, Inc. <br/> 11950 democracy dr. <br/> suite 600 <br/> Reston, VA 20190 <br/> us <br/> 703-438-2000 Fax: 512-727-3144 <br/> record expires on 17-aug-2010. <br/> record created on 17-aug-2005. <br/> domain servers in listed order: <br/> dns01.iad. comScore. com 66.119.41.13 <br/> dns01.ord. comScore. com 4.79.208.231 <br/> dns02.iad. comScore. com 66.119.41.25 <br/> dns02.ord. comScore. com 4.79.208.20.
Key Points
HereThe address of the it.kingroutecn.com website is
218.108.8.85 (do not use Ping, but use dig or Windows NSLookup)
,Kingroutecn.com is a domain name company in the United States.
Bluehost.com
Registered,
Reverse Lookup
It pointsHidden-master.hzman.net server, and then find the address can find the following information, specifically pointed out, address company contacts and so on
If anyone can contact the company, ask them to pay attention to security.
218.108.8.85 is from China (CN) in Region Southern and Eastern Asia <br/> whois query for 218.108.8.85... <br/> results returned from whois.arin.net: <br/> orgname: Asia Pacific Network Information centre <br/> orgid: APNIC <br/> address: PO Box 2131 <br/> City: Milton <br/> stateprov: QLD <br/> postalcode: 4064 <br/> country: au <br/> referralserver: whois: // whois.apnic.net <br/> netrange: 218.0.0.0-218.255. 255.255 <br/> CIDR: 218.0.0.0/8 <br/> netname: apnic4 <br/> nethandle: Net-218-0-0-0-1 <br/> parent: <br/> nettype: allocated to APNIC <br/> nameserver: ns1.apnic. net <br/> nameserver: ns3.apnic. net <br/> nameserver: ns4.apnic. net <br/> nameserver: NS-SEC.RIPE.NET <br/> nameserver: tinnie. arin. net <br/> comment: this IP address range is not registered in the Arin database. <br/> comment: For details, refer t O The apnic whois database via <br/> comment: whois. APNIC. net or http://wq.apnic.net/apnic-bin/whois.pl <br/> comment: ** Important Note: APNIC is the regional Internet registry <br/> comment: for the Asia Pacific region. APNIC does not operate networks <br/> comment: using this IP address range and is not able to investigate <br/> comment: Spam or abuse reports relating to these addresses. for more <br /> Comment: Help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming <br/> regdate: 2000-12-07 <br/> updated: 2009-10-010-08 <br/> orgtechhandle: AWC12-ARIN <br/> orgtechname: APNIC Whois contact <br/> orgtechphone: + 61 7 3858 3188 <br/> orgtechemail: search-apnic-not-arin@apnic.net <br/> # Arin WHOIS database, last Updated 2010-06-03 20:00 <br/> # enter? For additional hints on searching Arin's WHOIS database. <br/> # Arin whois data and services are subject to the terms of use <br/> # available at https://www.arin.net/whois_tou.html <br/> results returned from whois.apnic.net: <br/> % [whois.apnic.net node-2] <br/> % whois data copyright terms http://www.apnic.net/db/dbcopyright.html <br/> inetnum: 218.108.0.0-218.109.255.255 <br/> netname: wasu <br/> descr: wasu TV & Communication Holding Co ., ltd. <br/> descr: 6/F, Jian Gong building, No. 20 Wen San Road, Hangzhou, <br/> descr: Zhejiang Province, P. r. china 310012 <br/> country: CN <br/> admin-C: XZ1291-AP <br/> tech-C: TF142-AP <br/> Status: allocated portable <br/> MNT-by: MAINT-CNNIC-AP <br/> MNT-lower: MAINT-CNNIC-AP <br/> MNT-routes: MAINT-CNNIC-AP <br/> changed: hm-changed@apnic.net 20080123 <br/> Source: APNIC <br/> person: xianlong Zeng <br/> NIC-HDL: XZ1291-AP <br/> E-mail: allon@chinahcn.com <br/> address: No. 9 Shuguang Road, Hangzhou City, Zhejiang Province <br/> Phone: + 86-0571-28958852 <br/> fax-No: + 86-0571-85214455 <br/> country: CN <br/> changed: ipas@cnnic.cn 20071123 <br/> MNT-by: MAINT-CNNIC-AP <br/> Source: APNIC <br/> person: Tao Feng <br/> NIC-HDL: TF142-AP <br/> E-mail: fengtao@chinahcn.com <br/> address: No. 9 Shuguang Road, Hangzhou City, zhejiang Province <br/> Phone: + 86-0571-28958888-8108 <br/> fax-No: + 86-0571-85214455 <br/> country: CN <br/> changed: ipas@cnnic.cn 20100513 <br/> MNT-by: MAINT-CNNIC-AP <br/> Source: APNIC <br/>
Network security is not a shame if you don't lose your children.
Tony Liu, June 3, 2010 am late at night