NET Silver Theft Trojan virus principle

With the increasing number of network users, all kinds of virus Trojan theft program will naturally be regarded as the mouth of the delicious. In a number of stolen pioneer Trojan down at the same time, will generate an alternative to the theft of the program, one after another, a network of improper use, will soon give personal network Bank account to bring large losses, so many netizens hurt their brains.

Analysis on the principle of Trojan horse

This is not a recent emergence of a new network of silver Trojan win32.troj.bankjp.a.221184 program, the Trojan virus can be stored in the third party equipment and network transmission, will give the system, network bank users to bring losses. The Trojan one but stationed in the system, first of all, will find the system of "personal Banking Professional Edition" window and steal the network Silver account password, and then the virus will automatically replace a large number of system files, and the keyboard records, Into the use of the deletion of the destruction system Userinit.exe key landing procedures, to achieve system restart after the repeated landing operation interface, so that the system can not access the desktop, so that the virus can not be normal operation, the Trojan to achieve automatic updates, serious threats to user property and privacy security.

In an infected computer, the virus survives Mshelp.dll, mspw.dll dynamic-link library files under its file directory, and then%windir% the registry branch hkey_local_machine\system\ Add Service item power under CurrentControlSet\Services and try to back up files%system%\calc.exe->%system%\dllcache\c_20218.nls,%system%\ Userinit.exe->%system%\dllcache\c_20911.nls and%windir%\notepad.exe->%system%\dllcache\c_20601.nls files. After successful virus began to automatically find and replace the system directory%windir% under the calc.exe files,%system% directory userinit.exe, notepad.exe files,%system%\dllcache directory calc.exe, Userinit.exe and Notepad.exe files to reach depth concealment.

At this point, virus Trojan still does not end its own reinforcement function, will create recycler in the system root directory. folder, which is used to store virus backups.

Virus cleanup Process

When the network user accidentally infected their virus trojan, it should be cleaned out of the computer as soon as possible, according to their own computer emergency virus processing capacity, here provide two kinds of programs:

Method one, using remote Registry Repair

Because the Remote Registry service entry is turned on by default, users in the LAN can modify the infected computer registry via remote connection Registry Editor. First enter regedit in the run item of the Start menu to bring up Registry Editor, click the File menu to open the Connect Network registry entry, enter the infected computer IP address \ machine name (note: If the connection is successful, if the other computer requires a username and password to enter).

Then, in turn, locate the registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows nt\currentversion\image File Execution Options to delete the Userinit.exe program items below it (note: Sometimes there is no visual view, can not find the Userinit.exe project hijacked by the virus, then the registry branch must be found hkey_local_machine\software\ Microsoft\Windows NT\CurrentVersion\Winlogon, modify the UserInit key value below to the system default key value C:\WINDOWS\system32\UserInit.exe), If Userinit.exe is found to be corrupted by a virus, you can use the Windows installation CD to start a quick fix to restore the Userinit.exe program file.

Finally, a DOS command will be used to reset the C_20911.NLS that was renamed and moved by the virus, as follows: Copy c:\windows\system32\dllcache\c_20911.nls C:\Windows\System32 reboot the computer after completion , the system can return to normal.

Methods two, WinPE disc after the boot repair

First, the user presses the DELETE key when the computer starts to enter the BIOS, sets up the computer to start from the CD-ROM (note: A variety of brands of computer into the BIOS slightly different, please refer to the stability of their respective instructions to operate), set up after the WinPE disc into the light drive, and then press The computer restarts and enters the CD-ROM boot interface.

After entering the WinPE virtual out system, locate the registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows nt\currentversion\image File Execution Options to delete the Userinit.exe program items under it, locate the registry branch HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Modify the Userinit key value below to the system default key value C:\WINDOWS\system32\ UserInit.exe, then browse the WinPE CD and copy the Userinit.exe program in the System32 folder under the I386 directory to the Windows\System32 path of the system's disk.

Finally remove the disc, restart the computer, the virus hijacked Userinit.exe will return to normal, the operating system will start normally, repeated restart no longer appear, problem solving.

Virus prevention

The virus is not scary, the heart of the terrible virus maker. Network users must always improve vigilance to prevent property losses, and the face of the network at the beginning of the user, then in the end, what is the method for anti-virus, anti-theft? In fact, there is no real security system in the network, only a relatively secure platform. If you want to minimize threats from your network, users should be aware of the following points:

First, do not open inexplicable Web site and instant messaging software in the delivery of the Web site, not to receive and click Strangers or Unknown program (including: exe executable files, pictures, animations, movies, music, e-books, etc.), in case of strokes.

Second, turn on the system to automatically update the patch function, and set the daily installation of the security software to upgrade the function to reach the latest version. In the network communication, to open the firewall, the user does not install a firewall must be installed as soon as possible, so as to prevent the computer when there are unfamiliar programs to remote connection, the early know and audit.

Third, or regular use of anti-virus software or third-party security tools, the whole computer scan detection, real-time communication users, such as: QQ, to use the QQ doctor to the system into a patch, and detect the theft of the program, to avoid poisoning in the horse infection in the network bank.