The malicious homepage "ten crimes" the analysis with melt |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analysis>> evil intention 
                  homepage "ten crimes" the analysis with melt  Printing

            The malicious homepage "ten crimes" the analysis with melt
            Www.cshu.net  2002-8-18  fog rain village 

              Speaking of the malicious homepage, you definitely cannot be 
              strange, perhaps once doubled it is suffered. In the malicious 
              homepage contains the malicious code, may carry on the illegal 
              establishment and the malicious attack to visitor's computer. Now, 
              the homepage evil intention code already &#26432;Ը software to define as 
              the homepage virus. Compares with the traditional significance in 
              virus, the homepage virus although does not have the infection, 
              but its harm degree is inferior to the ordinary virus in no way. 
              Because the compilation evil intention code certainly does not 
              need any profound technology, many qualities low artificial 
              enhancements its website well-knownness 
              Or stems from the practical joke goal, reads in the malicious code 
              in its homepage, causes the visitor deeply its evil. The malicious 
              homepage really is lets the person clench jaws, after  to 
              execute is quick. Under lets us come to denounce the malicious 
              homepage together ten indictments.
              1st, revises IE the outset main page
              The page which the IE outset main page is each time turns on when 
              IE first enters, clicks on in the IE tool fence "the main page" 
              the button also to be able as necessary to enter the outset main 
              page, it generally is the page which we needs frequently to 
              examine, but some malicious homepage can change the outset main 
              page certain dirty websites, achieves its secretive goal.
              Must repair the IE outset main page method to be very simple, "the 
              tool" in the menu single-clicks "the Internet option" in IE (take 
              IE5 as example, similarly hereinafter), the choice "the 
              convention" the option card, in the text frame inputs the outset 
              page in "the main page" the website then.
              If after carries on the above establishment not to play the role, 
              that definitely was "the start" in the group increase the 
              malicious procedure in Windows, causes each time started when the 
              computer the automatic movement procedure to come to IE to carry 
              on the illegal establishment. The passable registration table 
              editor, the group has eliminated this kind of procedure from "the 
              start".
              The method is: Clicks "starts -> the movement", after the input 
              "Regedit" the carriage return, launches [ HKEY_LOCAL_MACHINE \ 
              Software \ Wicrosoft \ Windows \ Current Version \ Run ] in turn 
              in the registration table editor principal linkage, in the right 
              window demonstrates is when all starts increase the procedure 
              item, will contain the suspicious procedure the key value name 
              deletion.
              Except outset main page, but also has tacitly approves the main 
              page the situation which revises. We or repair through the 
              registration table editor tacitly approve the main page. Launches 
              [ HKEY_LOCAL_MACHINE \ Software \ Wicrosoft \ Internet Explorer \ 
              Main ] principal linkage, in the right window key value name 
              "Default-Page-URL" decided IE tacitly approves the main page, 
              double-clicks this value name, in the text frame inputs the 
              website in "the key value", this website will become new IE to 
              tacitly approve the main page.
              2nd, revises the IE tool fence
              The IE tool fence including the tool button, the address fence, 
              the link and so on several projects, the malicious homepage 
              possibly can independently decide to increase the button on the 
              tool fence, or pulls tabulates joins some to visit by no means the 
              website in address fence under, even can through tamper with the 
              link fence the title to demonstrate some disgusting writing.
              Must remove the button which does not need, the method is very 
              simple, elects to a tool fence button right key "from the 
              definition", under pulls in the frame after "the current tool 
              fence button" to designate does not need the button clicks on "the 
              deletion" then.
              Must remove the unnecessary address to tabulate, the passable 
              registration table editor has launched [ HKEY_CURRENT_USER \ 
              Software \ Wicrosoft \ Internet Explorer \ TypeURLs ] principal 
              linkage, in the right window "url1", "url2" and so on the key 
              value name completely will delete then.
              Must repair the link fence title, first launches [ 
              HKEY_CURRENT_USER \ Software \ Wicrosoft \ Internet Explorer \ 
              Toolbar ] principal linkage, "LinksFolderName" double-clicks in 
              the right window to the key value name, revises its value for the 
              information which wants to demonstrate, or directly will delete 
              this value name, links the fence title to restore for tacitly 
              approves "the link" the inscription.
              3rd, the revision tacitly approves search engine
              Has in the IE tool fence "the search" the button, it links the 
              search engine which assigns to, may realize the network search. Is 
              revised after by the malicious homepage this button certainly not 
              to be able to carry on the search work, but was links the homepage 
              which assigned by the malicious homepage to come up.
              Must repair the search engine, first launches [ HKEY_CURRENT_USER 
              \ Software \ Wicrosoft \ Internet Explorer \ Search ] principal 
              linkage, in the right window "CustomizeSearch", "SearchAssistant" 
              these two keys value name correspondence website will change some 
              search engine the website then.
              4th, revises the IE title block
              When we glance over the homepage, the IE title block demonstrates 
              is the title information which decided by the current homepage. 
              But certain malicious homepages through the revision registration 
              table, cause IE regardless of glances over any homepage all to 
              have to attach section of information after the title, either is 
              some website name, either is some trash advertisements, even is 
              the information which some politics is reactionary or is unable to 
              withstand sees.
              Must repair the IE title block, launches [ HKEY_LOCAL_MACHINE \ 
              Software \ Wicrosoft \ Internet Explorer \ Main ] in the 
              registration table editor principal linkage, in right window 
              "Window Title" key value name direct deletion then.
              5th, the revision or forbids the IE right key
              Some malicious homepage carries on the revision to the IE right 
              key quick menu, joins some bored information, perhaps joins aims 
              at its website the link, thought such people can frequently 
              patronize their website, really is very laughable.
              Must delete in the right key menu trash content, the passable 
              registration table editor has launched [ HKEY_CURRENT_USER \ 
              Software \ Wicrosoft \ Internet Explorer \ MenuExt ] principal 
              linkage, the under trash content completely will delete then, also 
              might directly the sub- key delete "MenuExt", because "MenuExt" 
              under the sub- key will be the right key menu expansion content, 
              will delete it, the right key menu then will restore for tacitly 
              approves the style.
              Some malicious homepage is prohibition downloading, unexpectedly 
              forbids to use the right key, too was simply hateful. Launches [ 
              HKEY_CURRENT_USER \ Software \ Policies \ Wicrosoft \ Internet 
              Explorer \ Restrictions ] principal linkage (to pay attention to 
              here is under Policies branch Internet Explorer), in right window 
              key value name "NoBrowserContextMenu" the Dword key value changes 
              "0" then, or deletes this value name, even may the sub- key delete 
              "Restrictions", "Restrictions" under the sub- key is some limits 
              the IE function the establishment.
              Some malicious homepage is slier, when uses the mouse right key 
              cannot demonstrate the menu, but is springs the dialog box to warn 
              you do not want "the right infringement", perhaps forces you to 
              read their trash advertisement, this kind of situation revises the 
              registration table by no means, therefore withdrew from this 
              homepage not to be able to have the matter. If non- must use the 
              right key in this homepage, may adopt the method which is 
              accommodating: After springs the dialog box, first presses down on 
              the keyboard "the attribute" the key (right flank left side of a 
              Ctrl key key) not to put, then presses the carriage return key, 
              springs several times of dialog boxes to press several times of 
              carriage returns keys, finally lets loose "the attribute" the key, 
              the right key quick menu then came out.
              6th, when system start springs the homepage or the dialog box
              When appears starts Windows springs the homepage, this was the 
              malicious homepage "the start" the group has moved the hands and 
              feet reason to Windows. We "the start" in the group the 
              corresponding project will delete in the registration table then 
              solve.
              The method is: Launches [ HKEY_LOCAL_MACHINE \ Software \ 
              Wicrosoft \ Windows \ Current Version \ Run ] principal linkage, 
              will contain in the right window has url, htm, html, asp, php and 
              so on the website attribute key value name completely deletes.
              The malicious homepage also has one similar trick is, starts when 
              Windows can spring the dialog box, demonstrates their advertizing 
              info. Solution is: Launches [ HKEY_LOCAL_MACHINE \ Software \ 
              Wicrosoft \ Windows \ Current Version ] principal linkage, this 
              principal linkage under sub- key "Winlogon" may cause when the 
              Windows start demonstrated the information prompt frame, directly 
              deleted this sub- key then avoided when the start appears trash 
              information.
              7th, fixed time springs the IE new window
              In the IE browser each period of time can shoot the window which 
              new goods come into the market to visit other homepage, this kind 
              of situation also is the typical malicious homepage is poisoned 
              the symptom. The malicious homepage is through "the start" the 
              group increases the hta document in Windows to achieve the goal. 
              Similarly, we use the 6th center the method, will start in the 
              group to contain the hta document the project completely to delete 
              then.
              8th, prohibition revision registration table
              This was the malicious homepage most shameless act, the malicious 
              homepage revised our system, when we used registration table 
              editor Regedit.exe when repaired the registration table, the 
              system prompted "the registration table editor to forbid by the 
              manager". The malicious homepage attempts through to forbid 
              Regedit.exe the use, prevents us to repair the registration table, 
              it may be said attentively dangerously.
              But the registration table edition tool also has very many kinds 
              besides Regedit.exe, casually from on-line downloads a 
              registration table editor, launches [ HKEY_CURRENT_USER \ Software 
              \ Wicrosoft \ Windows \ Current Version \ Policies \ System ] 
              principal linkage, key value name "DisableRegistryTools" the key 
              value changes "0", or deletes this value name, like this then 
              might use the registration table editor which Windows brought.
              If cannot find other editors, compiles following three lines of 
              contents using the memorandum:
              REGEDIT4 [ HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ 
              CurrentVersion \ Policies \ System ] "disableregistrytools" 
              =dword:0 
              Above the content preservation will be aaa.reg, the filename may 
              no matter what takes, but extension must be reg, then 
              double-clicks this document, after prompts the information success 
              input registration table, you then might use Regedit.exe.
              9th, downloading movement wooden horse procedure
              A malicious homepage most sinister move is downloading and the 
              movement wooden horse procedure, thus controls visitor's computer. 
              This uses is a IE5.0 loophole, the malicious homepage links has 
              inserted the exe document (wooden horse) the eml document through 
              section of wicked codes (the E-mail document), when the visitor 
              glances over this kind of homepage and clicks on the process 
              camouflage the link, then can automatically download the eml 
              document and move exe document (wooden horse), and cannot have any 
              prompt information, all carry on in being quietly.
              So the evil act, we actually no good cope with the means. Only had 
              promotes the IE edition, because this loophole in the edition all 
              no longer existed above IE5.0.
              10th, formatted hard disk
              The malicious homepage can yours hard disk formatting! ? You have 
              not looked wrong, this but the malicious homepage most vicious one 
              has incurred, consequence inconceivable, too was simply terrorist. 
              The malicious homepage is carries out the ActiveX function using 
              IE, transfers under Windows the Format.com procedure to carry on 
              the formatting to the hard disk, because has used a Microsoft not 
              public movement parameter, when Format.com formatting hard disk 
              does not need to pass through your confirmation but automatically 
              to carry on, simultaneously the window is at the smallest 
              condition, is very possible you not to respond, your system 
              already was finished. This move really was too mean.
              But the danger incurs has the dangerous phenomenon, when you visit 
              this kind of malicious homepage, because must use the ActiveX 
              function, IE can prompt the current page to include unsafe 
              ActivcX, possibly can cause the harm to the system, and inquired 
              whether carries out, by now you had to enhance have been vigilant, 
              surely did not have casually to choose "was", moreover this kind 
              of prompt information also possible process camouflage, for 
              example: "The browser will use the anti-poison function, will 
              avoid you coming under the malicious attack, whether will 
              continue?" Really is confuses right and wrong, lets you &#38654;, you 
              must be careful again carefully, otherwise had not regretted the 
              medicine eats to you.
              Actually the safest means are, changes name your computer in 
              Format.com procedure, causes the malicious homepage calling 
              program not to have wickedly the gate, the line is inadequate. 
              Also has a danger in Windows to order Deltree.exe, its function is 
              the deletion entire catalogue, also may bring the parameter 
              automatic movement, in order to does not let the malicious 
              homepage have an opportunity, you might as well also change name 
              it the extraordinarily good luck.
              Above exposes is only the malicious homepage most universal ten 
              kind of crimes, in addition, but also has some all kinds of small 
              tricks, also accesses the net to us brings many troubles. 
              Moreover, the above proposed solution, all is after receives the 
              malicious homepage harm to rescue the measure, certainly will not 
              guarantee later on the all is well. If avoids or reduces the harm, 
              but also must start from the prevention. The simplest preventive 
              measure is promotes the IE edition and the use &#26432;Ը software viral 
              firewall:
              1st, promotes the IE edition: The very many malicious homepage 
              only is effective to IE5.0 and following edition. High edition 
              software all has generally repaired in low edition Bug, we use 
              high edition IE on the relative security many.
              2nd, begins using the viral firewall: Present &#26432;Ը software mostly 
              has the viral firewall function, for example Jinshan poisonous 
              tyrant, auspicious magnitude. The viral firewall may the 
              intelligent recognition, Zha Sha, the isolation evil intention 
              homepage, in addition, &#26432;Ը software or each kind of wooden horse 
              procedure "the difficult adversary". &#26432;Ը software always stands in 
              with the computer each kind of devil resistance most front, lets 
              the counter- poisonous soldier protect us, has not been wrong!




              Original author: N/A 
              Origin: Safechina.net 
              Altogether has 50 readers to read this article 

              [Tells friend] 
            Previous article:How carries on the attack to in the PHP procedure 
            common loophole (on) 

            Next article:Domestic forum invasion method 

            - this week popular article - related article 
            The malicious homepage "ten crimes" the analysis with melt



      CSHU 
