Principle and prevention of image hijacking virus

Definition of Image hijacking

The so-called image hijacking (IFEO) is the image File Execution Options, located in the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Since this is primarily used to debug programs, is of little significance to the average user. By default, only administrators and local system have permission to read and write changes.

Popular point, is like I want to run QQ.exe, the results of the operation is FlashGet.exe, that is, in this case, the QQ program was flashget to hijack, that is, you want to run the program was replaced by another program.

Image hijacking virus

Although image hijacking is the function of the system itself, it is not necessary for our general users, but there are some viruses through image hijacking to make a fuss, on the surface appears to be running a program, in fact, the virus has been running in the background.

Most viruses and Trojans are run by loading system startup items, and some are registered as system services to start, they mainly by modifying the registry to achieve this goal, mainly in the following areas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

But with the usual Trojan, the virus is different, there are some viruses are not through these to load themselves, not with the system to start running, but wait until you run a specific program running, which also captures the psychology of some users, the general user, as long as the discovery of their own machine in the virus, The first thing to look at is the system add-in, few people think of image hijacking, this is also the place where the virus is smart.

Image hijacking virus mainly by modifying the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Word hijacked normal procedures, such as a virus vires.exe to hijack the QQ program, it will be in the location of the registry to create a new Qq.exe item, and then the key of a new string below this item debugger content is: C:\WINDOWS\SYSTEM32\VIRES . EXE (This is the directory of virus hiding). Of course, if you change the string value to any other value, the system prompts you not to find the file.