Replace and monitor the new version of gray pigeon virus process content

The gray pigeon virus intercepted by the Kingsoft anti-virus center was mainly shelled for free after the gray pigeon trojan was declared to have withdrawn from the rivers and lakes. Last weekend, the Kingsoft anti-virus center intercepted a major new variant of the gray pigeon, confirming that the gray pigeon did not leave the rivers and lakes. After a short silence, it was attempting to recover lost ground.

The new gray pigeon version has the following major updates:

The use of process content replacement technology and dual-process mutual monitoring technology greatly improves the self-protection capability;

Process content replacement means that a virus starts an iee.exe process and replaces the content of the process with the content of the virus process. In this way, it is more hidden.

Process mutual monitoring: this time, the iexplre.exeand calc.exe (calculator) processes are started, and the process content replacement technology is used to replace these two processes with virus processes. At this time, there are two virus processes in the memory, which guard each other. When any of them is terminated, the process that has not been terminated restarts.

According to the monitoring results of Kingsoft anti-virus center, the virus infection volume is still small, but it may become a backdoor program that focuses on the spread of trojans such as AVKiller. That is to say, the new gray pigeon version may be a zombie with avterminator, posing a serious security threat to computer users. Remind all netizens to download the avterminator killer tool and check whether it has been infiltrated by the "avterminator" to ensure that the anti-virus software is working properly. [# Page _ detailed analysis report #0 #0 #0 #0 #] The following is a detailed analysis report of the virus:

This is a hacker virus on a Windows platform. After Virus poisoning, the virus will connect to a remote hacker host, so that the user's machine is completely controlled by the hacker. Hackers can view and download arbitrary files on infected machines, record all users' computer operations, and steal user QQ numbers, online banking, and other information. When a user's host is connected to a camera, hackers can even remotely monitor the user through the camera, resulting in leakage of user data and privacy, causing great harm.

1. Disguise itself as a normal program of the following pseudo system:

% Systemdir % \ ssms.exe

System partition: \ Program Files \ Common Files \ Microsoft Shared \ MSInfo \ _ssms.exe

2. Add the following virus service:

Service name: Windows-UP

Name: Windows-UP_2007_71

Service Description: the latest security patch is automatically updated.

Service file: % systemdir % \ ssms.exe

3. Try to delete the QQ keyboard driver file npkcrypt. sys.

4. Create two hidden processes: % systemdir % \ calc.exe (the built-in calculator process) and system partition: \ program files \ internet explorer \ iw.e. EXE (IE process), replace the codes of these two processes with their own virus code and execute them. These two processes will guard each other.

5. When a virus attack occurs, it actively connects to the control end of the virus author. After successfully connecting to the control end of the virus author, virus writers can obtain user Screen Content in real time, monitor/control users' cameras in real time, record Chinese chat records, view/download arbitrary files on users' machines, and view/terminate arbitrary user processes, it can also control the shutdown or restart of infected machines.