Teach you effective coping with rootkit (kernel type) virus

This type of virus is characterized by two or more virus files, one executable type file with the extension exe, and one driver type file with the extension sys. EXE executable file for the traditional worm module, responsible for the virus generation, infection, transmission, destruction and other tasks; sys file is a rootkit module.

Rootkit is also a kind of Trojan horse, but it is more hidden than our common "glacier", "Gray pigeon" and other Trojans, it is in the way of the driver into the system core, and then it is responsible for the implementation of the secret back door, replace the system normal files, process hiding, monitoring network, record key Some rootkit can also turn off antivirus software.

These types of modules are found to provide a hidden mechanism for viruses, which shows that these two kinds of files are interdependent. Since the virus has been hidden, where do we start to find the virus? This is an example of a computer that infects the Orans.sys worm, and explores how to detect and check for such viruses.

Detecting Virus Body files

Norton Antivirus software reports C:\windows\system32\orans.sys files as rootkit viruses, where you can see that the SYS file using rootkit code cannot escape antivirus detection. So if you delete the file to remove the virus, the answer is no.

First in the infected system the file is protected and cannot be deleted. Even if the user deletes the file in Safe mode, another virus file that has not been deleted will start the system and monitor the system after the reboot.

Once it finds that the system's registry is modified or the virus's SYS file is deleted, the virus regenerates the file and changes it back to the registry, so many times we find that the virus is reborn. It was therefore necessary to find the two documents at the same time. But in the infected system, the real virus body has been hidden by the rootkit module, can not be detected by antivirus software.

Then you need to find clues to the virus from the process in the system. The system's own task manager lacks some of the advanced functionality to complete this task and is not recommended for use. Here we recommend IceSword or Process Explorer software, these two software can observe the various processes in the system and the relationship between processes, but also can display the process image file path, command line, system service name and other related information.

In the analysis process not only to pay attention to unfamiliar processes, some normal system processes also need to be carefully examined, because the virus often inserted in the child process to hang themselves into the normal process of the system. In the IceSword software in the red display of the process as a hidden process, is often the process of the kernel-type Trojan horse.

Port analysis is also a common method because viruses often open special ports waiting to execute remote commands, and some viruses try to connect to a particular server or Web site and detect the virus process through a process-port association.

In the above example, we quickly determined that the restore process in the system was an exception process by comparison with the normal operating system and the virus-infected system, and that the process's image file was c:\windows\restore. EXE, so that we can find the virus body file. And when this file was found, Norton No alarm, visible virus files escaped antivirus software.

Further analysis also found that the virus added a service to the system, the service name is "restore", and the executable path points to the virus file.

Manual removal of viruses

1. Turn off System Restore, right-click My Computer, select Properties, select System Restore in System Properties, check "Turn off System Restore on all drives", and turn off System Restore.

2. Restart the computer into Safe mode, click Services in Control Panel → Administrative Tools, where the virus adds the restore service and disables the service.

3. Manually delete c:\windows\ Restore.exe and c:\windows\ system32\orans.sys two virus files.

4. Run the Registry manager regedt32. EXE to find the table entries added by the registry virus. In

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\

A virus added "Orans.sys" and "restore" registry keys are found under three branches to delete the table entry.

5. Reboot the system to normal mode, turn on System Restore, and install patches for the system.

There are many variants of this type of virus, from the virus-generated executable file to the registration system services, transmission and damage methods are different, here mainly provide a train of thought, we can find the root cause to solve the problem when encountered. In addition, most of these viruses are exploited by operating system vulnerabilities or guessing administrators ' passwords, and some viruses can exploit multiple vulnerabilities at the same time.

So everyone should be fully aware of the importance of patching, while avoiding the empty or weak administrator password, reduce the chance of virus intrusion.