Principles and removal methods of gray pigeon Trojan

The gray pigeon client and server are both written in Delphi. Hackers use the client program to configure the server program. Configurable information mainly includes the online type (such as waiting for a connection or active connection) and the Public IP (Domain Name) used for active connection), connection password, used port, startup Item Name, service name, process hiding mode, used shell, proxy, icon, and so on.

The password setting allows the gray pigeon server program to be controlled only by hackers who have configured it to avoid competition between hackers.

The server has various Connection Methods to the client, making it in variousNetworkUsers in the environment may be poisoned, including LAN users (accessing the Internet through proxy), Internet users andADSLDial-Up users.

Use only one port to transmit all communication data! CommonSoftwareTwo or more ports are used.

Supports computers that can control Internet Connection Sharing and access through HTTP transparent proxy! The software intelligently reads the information of the proxy server set by the system, and does not need to be set by the user!

You can enable the SOCKS5 Proxy Server and HTTP proxy service on the server! No third-party software support required! Supported Windows 9x/ME/2000/XP/2003. This allows hackers to launch springboard attacks.

In addition to voice listening, voice sending, and remoteVideoMonitoring function, only the remote computer has a camera, and normal open is not occupied, then you can see that the pictures captured by the remote camera! You can also save the pictures captured by the remote camera in the Mpeg-1 format. Remote voice can also be recorded as WAV audio files.

You can find other backdoor functions in the dark pigeon. In addition, each function is very meticulous and user-friendly. The overall interface is refreshing and easy to use. Every small detail is well considered, and almost all the ideas that can be thought of are implemented. However, the convenience of hackers is not a good thing for the majority of users.

The following describes the server:

The configured service end file is g_server.exe (this is the default file and can also be changed ). Then, hackers use a simple method to trick users into running the g_server.exe program. Here we will not go into details about the specific method used so that readers can make full use of their imagination.

G_server.exe copy to the Windows directory (98/XPOperating SystemFor the Windows directory of the system disk, 2 k/NT for the WINNT directory of the System Disk), and register it as a service (the service name has been configured on it ), then, two files are released from the body to the Windows directory: g_server.dll,g_server_hook.dll(in the near future, 3 files will be released, and g_serverkey.exe will be added, which is mainly used to recordKeyboardOperation ). Then, inject g_server.dll,g_server_hook.dllinto assumer.exepolicipolicer.exe or execute all processes. G_server.exe then exits, and the two dynamic libraries continue to run. Because the virus does not have an independent process during running, the virus is well concealed. The g_server.exe file in the Windows directory runs automatically every time it is turned on, and the dynamic library is activated and exited to avoid user suspicion.

G_server.dll implements the backdoor function.Communication. The powerful functions of the gray pigeon are mainly reflected here. Hackers can perform operations on infected machines, including file management, system information retrieval, clipboard viewing, process management, window management, key-disk record management, service management, and sharing management, and provide MS-dos shell, provides proxy service, registry editing, starts the telnet service, and capturesScreen,VideoMonitoring, audio monitoring, sending audio, uninstalling pigeons ...... It can be said that the information that the user can see locally can also be seen through the remote monitoring of the pigeons. In particular, screen monitoring and video and audio monitoring are dangerous. If a user performs online banking transactions on a computer, remote screen monitoring is easy to expose the user's account. With Keyboard monitoring, the user's password is also in danger. However, video and audio monitoring can easily expose users' own secrets, such as "appearance" and "sound ".

G_server_hook.dll hides the pigeons. Call the intercepted process API to hide the file, service registry key, and even the module name in the process. The intercepted functions are mainly used to traverse files, the registry keys, and some functions of the Process Module. Therefore, in some cases, users may feel poisoned, but they cannot find any exceptions after careful checks.

How the gray pigeon author escapedAnti-Virus SoftwareIt took a lot of effort to scan and kill. Due to the interception of some API functions, it is difficult to traverse the files and modules in normal mode, which makes it difficult to scan and kill. It is also difficult to uninstall the gray pigeon dynamic library and ensure that the system process does not crash. This has caused the recent flood of gray pigeons on the Internet.

Running principle of gray pigeon

The gray pigeon Trojan is divided into two parts: the client and the server. Attackers manipulate the client and use the client configuration to generate a server program. The service end file name is g_server.exe. G_server.exe copy itself to the Windows directory after running (98/XP is the Windows directory of the system disk, 2 k/NT is the WINNT directory of the System Disk ), then release g_server.dll and g_server_hook.dll from the body to the Windows directory. G_server.exe, g_server.dll, and g_server_hook.dll are combined to form the gray pigeon server. Some gray pigeons release a file named g_serverkey.dll to record keyboard operations. Examples, A. dll, and a_hook.dll.

The g_server.exe file in the Windows directory registers itself as a service (the 9x system writes the Registry Startup item), and runs automatically every time it is started. After running, start g_server.dll and g_server_hook.dll and exit automatically. The g_server.dll file implements the backdoor function and communicates with the control client. g_server_hook.dll hides viruses by blocking API calls. Therefore, after virus poisoning, we cannot see the virus file or the service items registered with the virus. With the different settings of the gray Pigeon Service end file, g_server_hook.dllsometimes comes in the process space of assumer.exe, and sometimes is attached to all processes.

 

Manual inspection of gray pigeon

Because the gray pigeon intercepts API calls, the trojan file and its registered service items are hidden in normal mode, that is, even if you set "show all hidden files", you cannot see them. In addition, the file names on the gray pigeon server can be customized, which makes manual detection difficult.

However, after careful observation, we found that the detection of gray pigeons is still regular. From the operating principle analysis, we can see thatServerWhat is the end file name, usually inOperating SystemTo generate a file ending with "_ hook. dll. Through this, we can more accurately and manually detect the gray pigeon Trojan.

In normal mode, the gray pigeon will hide itself, so the operation to detect the gray pigeon must be performed inSecurityMode. To enter safe mode, start the computer and press F8 before the system enters the Windows Startup screen (or press Ctrl when the computer is started ), select "safe mode" or "safe mode" from the menu that appears ".

1. Because the gray pigeon file has hidden properties, you must set windows to display all files. Open "my computer", select "Tools"-"Folder Options", and click "View" to cancel the check before "Hide protected operating system files, select "show all files and folders" in "hide files and folders", and click "OK ".
2. Open "search file" in windows and enter "_ hook" in the file name. DLL ", select the Windows installation directory for the search location (98/XP is C:/Windows by default, 2 k/NT is C:/WINNT ).

3. After searching, we found a file named game_hook.dll in the Windows directory (excluding subdirectories.

Secret and game. DLL files. Open the windows directory and there is one of these two files for record at the same time.KeyboardThe gamekey. dll file.

After these steps, we can basically confirm that these files are gray pigeon Trojans, And we can manually clear them below.

 

Manual removal of gray pigeon

After the above analysis, it is easy to clear the pigeon. Clear the pigeonSecurityTo delete the program files.

Why is it? Br/>
I. Service for clearing gray pigeons

2000/XP system:

1. Open the Registry Editor (click "start"-"run", enter "regedit.exe", and click "OK .), Open the HKEY_LOCAL_MACHINE/system/CurrentControlSet/services registry key.

2. Click "edit"-> "Search", "search target", enter "g_server.exe", and click "OK" to find the service items of the gray pigeon.

3. Delete the entire g_server entry.

98/me system:

In 9x, there is only one startup item for the gray pigeon, so clearing is easier. Run the Registry Editor to open HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion.

/Runitem. You can delete the g_server.exe item immediately.

Ii. Delete the gray pigeon program file

Deleting the gray pigeon program file is very simple. Just delete the g_server.exe, g_server.dll, g_server_hook.dll, and g_serverkey.dll files in the Windows directory in a security mode, and then restart the computer. So far, the gray pigeon has been cleared.