Pigeon (Backdoor. huigezi) the author has not stopped the development of the gray pigeon. In addition, some people intentionally add different shells to the gray pigeon to avoid anti-virus software detection and removal, as a result, new gray pigeon variants are constantly emerging on the Internet. If your machine has symptoms of gray pigeon but cannot be found using anti-virus software, it is probably a new variant that has not been intercepted. In this case, you need to manually kill the pigeon.
It is not difficult to manually clear the gray pigeon. What is important is that we must understand its operating principles.
Running principle of gray pigeon
The gray pigeon Trojan is divided into two parts: the client and the server. Hackers manipulate the client and use the client configuration to generate a server program. The service end file is named g_server.exe, and then hackers spread the Trojan (commonly known as a Trojan or a backdoor) through various channels ). There are many ways to use Trojans. For example, a hacker can bind the Trojan to an image and impersonate a shy MM to send the Trojan to you through QQ to trick you into running the Trojan; you can also create personal webpages to trick you into clicking and use the IE vulnerability to download Trojans to your machine and run them. You can also upload files to a software download site, impersonate an interesting software to trick users into downloading ......
G_Server.exe copy itself to the Windows directory after running (98/xp is the windows directory of the system disk, 2 k/NT is the Winnt directory of the System Disk ), then release G_Server.dll and G_Server_Hook.dll from the body to the windows directory. G_Server.exe, G_Server.dll, and G_Server_Hook.dll are combined to form the gray pigeon server. Some gray pigeons release a file named G_ServerKey.dll to record keyboard operations. Examples, A. dll, and A_Hook.dll.
The g_server.exe file in the Windows directory registers itself as a service (the 9X system writes the Registry Startup item), and runs automatically every time it is started. After running, start G_Server.dll and G_Server_Hook.dll and exit automatically. The G_Server.dll file implements the backdoor function and communicates with the control client. G_Server_Hook.dll hides viruses by blocking API calls. Therefore, after virus poisoning, we cannot see the virus file or the service items registered with the virus. With the different settings of the gray Pigeon Service end file, g_server_hook.dllsometimes comes in the process space of assumer.exe, and sometimes is attached to all processes.
Manual inspection of gray pigeon
Because the gray pigeon intercepts API calls, the trojan file and its registered service items are hidden in normal mode, that is, even if you set "show all hidden files", you cannot see them. In addition, the file names on the gray pigeon server can be customized, which makes manual detection difficult.
However, after careful observation, we found that the detection of gray pigeons is still regular. According to the operating principle analysis, no matter what the custom Server File name is, a file ending with "_ hook. dll" is usually generated under the installation directory of the operating system. Through this, we can more accurately and manually detect the gray pigeon Trojan.
In normal mode, the gray pigeon will hide itself, so the operation to detect the gray pigeon must be performed in safe mode. To enter safe mode, start the computer and press F8 before the system enters the Windows Startup screen (or press Ctrl when the computer is started ), select "Safe Mode" or "Safe Mode" from the menu that appears ".
1. Because the gray pigeon file has hidden properties, you must set Windows to display all files. Open "my computer", select "Tools"> "Folder Options", and click "View" to cancel the check before "Hide protected operating system files, select "show all files and folders" in "hide files and folders" and click "OK ".
2. Open "search file" in Windows and enter "_ hook" in the file name. find the location and select the Windows Installation Directory (default 98/xp is C: windows, 2 k/NT is C: Winnt ).
3. After searching, we found a file named Game_Hook.dll in the Windows directory (excluding subdirectories.
Secret and Game. dll files. Open the Windows directory, and there are these two files, and a GameKey. dll file used to record keyboard operations.
After these steps, we can basically confirm that these files are gray pigeon Trojans, And we can manually clear them below. In addition, if you find the gray pigeon variant not found by Rising antivirus software, also welcome to the rising new virus reporting site (http://up.rising.com.cn) Upload samples.
Manual removal of gray pigeon
After the above analysis, it is easy to clear the pigeon. To clear the gray pigeon program files, you still need to operate in safe mode. There are two main steps: 1. Clear the service of the gray pigeon; 2. Delete the program files of the gray pigeon.
Note: To prevent misoperation, make sure to back up the data before clearing it.
I. Service for clearing gray pigeons
2000/XP system:
1. Open the Registration Table Editor (click "Start time", click "run", and enter "regedit.exe", OK .), Open the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices registry key.
2. Click the Navigation Pane to edit "audio-extract", click "search target", and enter "“game.exe". Click "OK" to find the service items (in this example, Game_Server ).
3. Delete the entire Gamehtml # "target = _ blank> _ Server item.
98/me System
In 9X, there is only one startup item for the gray pigeon, so clearing is easier. You can delete the lifecycle item.
Ii. Delete the gray pigeon program file
Deleting a program file is very simple. You can only delete the game.exe, Game. dll, Game_Hook.dll, and Gamekey. dll files in the Windows directory in a security mode, and then restart the computer. So far, the gray pigeon has been cleared.
Summary
This article provides a general method for manual detection and removal of gray pigeon, which is suitable for most of the gray pigeon Trojans and their variants we see. However, there are still a few variants that cannot be detected and cleared using this method. At the same time, with the continuous release of the new version of the gray pigeon, the author may add some new hidden methods, anti-deletion means, manual detection and removal of it will become more and more difficult. When you are sure that the machine is equipped with a gray pigeon Trojan and the method described in this article cannot be detected, it is best to seek help from experienced friends.