Manually remove Backdoor.Win32.Trup.bo

Posted on Wednesday, 8 June 2011

virus Name: backdoor.Win32.Trup.bo

Risk level: Medium

Virus Description

The virus sample size is “39,424 bytes” and the extension is “. Exe”, it is mainly through the “file bundle”, “download tool to download”, “web page linked to horses” and other ways to spread, the main purpose of this virus the user’s IE browser hijacking, tampering home page, when the user’s computer infected, will access a large number of the designated website and download a large number of unknown trojan to your computer, the system is running Slow, slow speed, a large number of unknown processes.

Infection in the operating system

Windows 2000/Windows XP / Windows 2003/Windows Vista / Windows 7

Transmission

Bundle file, web page linked to horse, download tools to download

Manual Solution:

1. Kill the use of desktop software to scan and clean up a comprehensive tool for system cleaning.
2. Delete the Registry entries
HKEY_CLASSES_ROOT \ SOFTWARE \ Classes \ JE
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ JE
The registry key to normal
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ IE \ shell \ open \ command

Variable declaration:

% SystemDriver% system where the partition, usually “C: \”
% SystemRoot% WINDODWS directory, usually “C: \ Windows”
% Documents and Settings% user file directory, usually “C: \ Documents and Settings”
% Temp% temp folder, usually “C: \ Documents and Settings \ current user name \ Local Settings \ Temp”
% ProgramFiles% system program the default installation directory, typically: “C: \ ProgramFiles”
Virus:

(1), creating a snapshot of the process, traversing 360 security guards to find the existence of anti-virus module process DsMain.exe, if there is its dormancy.
(2), create% SystemRoot% \ Sie.ini configuration file. Create multiple threads, create% SystemDriver% \ alh.exe, create a process execution alh.exe, moving itself as 228.tmp, and set the hidden attribute. Hidden file extensions, do not show hidden files, so as to achieve the effect of the virus itself hidden.
(3), remote into the iexplore.exe process, and access http://www.xun ***. info. Create Registry
HKEY_CLASSES_ROOT \ SOFTWARE \ Classes \ JE and HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ JE
Key: command
Data:% ProgramFiles% \ Internet Explorer \ IEXPLORE.EXE http://www.xun ***. info,
Item: DefaultIcon
Data:% SystemRoot% \ system32 \ tbhdz.ico
(4), modify the registry HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ IE \ shell \ open \ command is% ProgramFiles% \ Internet Explorer \ IEXPLORE.EXE http:// **. 97780.com? 1127311, tampering home to http: //**. 97780.com? 1127311, visit the designated website and download a large number of Trojan viruses into the IE buffer, download large files to the user’s computer to run an unknown.
(5), create a rogue on the desktop shortcut: IE browser, Taobao shop, online way of high definition theater and other shortcuts.

Virus to create files:

% SystemRoot% \ VL.ini
% SystemRoot% \ al.ini%
SystemRoot% \ VB.ini
% SystemRoot% \ system32 \ tbhdz.ico
% SystemDriver% \ ati.exe
Virus current directory \ 288.tmp
Virus current directory \ 1288.tmp

Virus to create the registry:

HKEY_CLASSES_ROOT \ SOFTWARE \ Classes \ JE
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ JE

Modify the HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ IE \ shell \ open \ command
Value:% ProgramFiles% \ Internet Explorer \ IEXPLORE.EXE http:// **. 97780.com? 1127311

Virus to access the network:

http://dh.765 ***. info? 1127311
http://dh.977 **. com
http://cpm.ejiu **. com / sms / tc.php? id = 10
http://cpm.ejiu **. com / sms / tc.php? id = 11
http://cpm.ejiu **. com / sms / tc.php? id = 12
http://jj.765 ***. info: 3218/sms/xxx5.ini
http://60.173.10 .**: 4567/setup_10016.exe
http://xiazai .*****. com/Corp/kugou_2526.exe
http://60.173.10 .**: 1234/dy.exe