The strange RunOnce virus startup item and the magic URL Protocol

I forgot to share some interesting hooligans I found before I sorted out the disk. Every time I saw the newest, I felt that the dark forces had an endless stream of tricks, which was much better than whether some security vendors had killed each other. during daily use of the computer, we often enter http ftp at the beginning, and click a link such as ed2k. The corresponding functions will be executed behind each link. for example, if http is passed through iexplore.exe, ed2k is opened through QQ Tornado .. this time, the virus author used this feature to implement concealed loading of viruses to avoid virus detection and removal.

 

1 met URL Protocol

(1) Internat Explorer. url

When a user problem was solved remotely in last December, we found thatHttqsImmediately understoodHttps,I thought https://www.baidu.com (I guess here using Baidu is to prevent some security software testing, we all know that this website is too true, too normal) is not very normal? As a result, I opened a web site and found that q is not p. It seems that the problem isHttqs,Open the Registry HKEY_CLASSES_ROOT to find out how tricky It is, and finally open it through IEXPLORE. EXE.H % t % p %: // w %. 6701.c% o % m % /? 12N17Navigation website

[HKEY_CLASSES_ROOT \ httqs]
"URL Protocol" = ""

[HKEY_CLASSES_ROOT \ httqs \ shell \ open \ command]
@ = "Rundll32 shell32.dll, ShellExec_RunDLLA C: \ Program Files \ Internet Explorer \ iw.e. EXE h % t % p %: // w %. 6701.c% o % m % /? 12N17"

 

(2) Goodbye to the magic RunOnce virus startup Item

Next, I encountered several questions and feedbacks. After checking, I found that these computers generally have a seemingly unreasonable RunOnce virus startup Item.ADCS: \ Windows \ system32 \ debug.exe the first impression is whether the virus author has written an error. The second impression is Windows \ system32 \ debug.exe (based on my guess, this is only to bypass security software detection, is there a problem with this file, but there is no problem finding this file in the sys32 directory. in the end, I still focus onADCS: Open the Registry HKEY_CLASSES_ROOT, apparently the ultimate goal is to run the Virus FileD: \ RECYCLERZT1 \ 2.vbe

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce]
"Explorer" = "ExplorerADCS: \ Windows \ system32 \ debug.exe"

[HKEY_CLASSES_ROOT \ ADCS]
@ = "Directory container"
"URL Protocol"= ""
[HKEY_CLASSES_ROOT \ ADCS \ explorer \ open \ command]
@ = "Rundll32 shell32.dll, ShellExec_RunDLLA D: \ RECYCLERZT1 \ 2.vbe"

 

2 URLProtocolView view all URLs in the computer Protocol

URLProtocolView:A small tool can view all the URLs in the computer Protocols. After running URLProtocolView, the suspicious items ADCS and device are immediately listed according to the modification time.