Virus IFEO image hijacking Technology

Recently, the virus uses the IFEO image hijacking technology. As a result, kill software cannot run or prompts that files cannot be opened. Recently, such viruses are very popular and virus cleanup operations are relatively complicated, therefore, I posted a special post today to emphasize your attention.

IFEO has many introductions on the Internet. I borrowed the post content from jianmeng skyshine. Thank you! What is important is the prevention method in step 5, which is simple and effective, which can prevent problems before they happen and avoid the troubles of poisoning.

Basic symptoms: A friend may have encountered such a situation, a normal program, no matter where he is put or the program repaired with the installation disk, it cannot be run. For example, if A runs, it becomes the program that executes B, but it can run normally after being renamed.

Since we are introducing the IFEO technology, let's introduce it first:

1. What is image persistence (IFEO )?

The so-called IFEO is that the Image File Execution Options is in the registry.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options

This item is mainly used for program debugging and is of little significance to general users. By default, only Administrators and local systems have the right to read and write modifications. First, let's take a look at how to modify the registry, such as regular viruses.

The well-known and over-used registry key values such as viruses, worms, and Trojans are as follows:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows ntcurrentversionwinlogonpolicy
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
Wait ......

Ii. Usage Details:

The following is an introduction to the blue ice:

@ Echo off // close command echo
Echo this batch processing is only a tip. Do not use it for illegal activities! // Display the echo text
Pause // stop
Echo Windows Registry Editor Version 5.00> ssm. reg
Echo [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssyssafe. EXE]> ssm. reg
Echo "Debugger" = "syssafe. EXE"> ssm. reg // export the echo text to SSM. reg.
Regedit/s ssm. reg & del/q ssm. reg // import ssm. reg and delete it
Disabling SSM HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssvchost.exe under "Debugger" = "abc.exe" means that svchost.exeis not executed and abc.exe is executed.

I may have said so much about it, but you still don't know what it means. It doesn't matter. Let's take a look at another friend on the Internet for a test:

 

As shown in the following figure, start-run-regedit and expand:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options and then select Image File Execution

Options. After a new item is created, change the item to 123.exe.

Select 123.exe, and the right side is blank by default. Right-click to create a new "string character" and rename it as "Debugger". Then, press Enter,... Double-click the key to modify the data value (actually the path ).

Change it to C: windowssystem32CMD.exe
(PS: C: system disk. If your system is installed on D, change it to D: if it is an NT or 2 K system, change Windows to Winnt. If there is another T, and so on .)

Okay. Experiment.

Then, find an extension name named "exe", and rename it" 123.exe.

Then, run it. Hey hey, there is a DOS operation box. Looking at the blinking cursor without knowing it, it must be a strange thing ~ ^_^ ..

A simple prank ......

Similarly, viruses can also be used to redirect names such as anti-software programs and security tools to the virus path. If the redirection item is not cleared after you clear the virus

The function of IFEO makes it impossible to run programs that are not damaged!

III. Basic principles of image hold:

When the NT system tries to execute an executable file running request called from the command line, it first checks whether the running program is an executable file. If yes, it then checks the format, then, the system checks whether there is a vulnerability. If it does not exist, it will prompt that the system cannot find the file or "the specified path is incorrect. Of course, after deleting these keys, the program can run!

Iv. Specific cases of image hold:

Referring to an analysis case of JM's jzb770325001 moderator, the spectacular IFEO has become a little famous:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAgentSvr.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsCCenter.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRav.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMonD.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavStub.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavTask.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options fw0000.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options fwsrv.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsAgent.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsaupd.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options uniep.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSmartUp.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFileDsty.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRegClean.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution options+tray.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution options#safe.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution options+rpt.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskabaload.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssafelive.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRas.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASMain.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKASTask.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAV32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVDX.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKAVStart.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKISLnchr.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMailMon.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKMFilter.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32X.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFWSvc.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch9x.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatchX.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsTrojanDetector.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUpLive.EXE.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKvDetect.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKRegEx.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskvol.exe
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution O