The harm of grey pigeon virus;
Grey pigeon is actually a remote control program, which will generate a file with any name according to the meaning of the producer, and then use various tricks to let you open the file. Once it is opened, it will become a broiler, and it will be forced by hackers at any time.
Working principle of grey pigeon:
The Grey Pigeon Trojan is divided into two parts: the client and the server. Hackers (let's just say) manipulate the client and use the client configuration to generate server programs. By default, the name of the server file is G_Server.exe, and then hackers spread this Trojan through various channels (usually called Trojan or backdoor). There are many ways to cultivate Trojan horses. For example, a hacker can bind it to a picture, and then pass it to you as a shy MM through QQ to trick you into running it. You can also set up a personal webpage to trick you into clicking, and use IE vulnerability to download Trojans to your machine and run them. You can also upload the file to the software download website and pretend it is an interesting software to trick users into downloading it.
After running, G_Server.exe will copy itself to the Windows directory (Windows directory under Win98/WinXP/Win7 and Winnt directory under Win2000/WinNT). Then release G_Server.dll and G_Server_Hook.dll from the main body to the Windows directory. G_Server.exe, G_Server.dll and G_Server_Hook.dll cooperate with each other to form the grey pigeon server. Some gray pigeons will release an extra file named G_ServerKey.dll to record keyboard operations.
Note: The name of G_Server.exe is not fixed, but it can be customized. For example, when the file name of the customized server is A.exe, the generated files are A.exe, A.dll and a _ hook.dll.
The G_Server.exe file in the Windows directory registers itself as a service (the 9X system writes the registry startup item), and the service can run automatically every time it is opened. After running, it starts G_Server.dll and G_Server_Hook.dll and automatically exits. G_Server.dll file realizes the back door function and communicates with the control client; G_Server_Hook.dll hides viruses by intercepting API calls. Therefore, after poisoning, we can't see the virus files or virus registration services. Due to the different file settings of Grey Pigeon server, G_Server_Hook.dll is sometimes attached to the process space of Explorer.exe, and sometimes it is attached to all processes.
How to detect whether the computer is infected with gray pigeon virus?
Because the Grey Pigeon intercepts API calls, Trojan files and their registered services are hidden in normal mode, which means that even if "Show all hidden files" is set, you can't see them. In addition, the file name of the grey pigeon server can be customized, which brings some difficulties to manual detection.
However, through careful observation, we found that the detection of gray pigeons is still regular. It can be seen from the above analysis of operation principle that no matter what the user-defined server-side file name is, a file ending with "_hook.dll" will be generated in the installation directory of the operating system. Through this, we can detect Trojan Grey Pigeon more accurately by hand.
Because gray pigeons hide themselves in normal mode, the operation of detecting gray pigeons must be carried out in safe mode. The way to enter safe mode is to start the computer before the system enters the Windows startup screen. Press the F8 key (or hold down the Ctrl key when starting the computer) and select Safe Mode or Safe Mode from the startup options menu that appears.
The specific method is as follows:
1. Because the files of Grey Pigeon have hidden properties, the window should be set to show all files. Turn on the computer, select Tools-Folder option, click View, uncheck Hide Protected Operating System Files, check Show Hidden Files and Folders, and then click OK.
2. Open the "Search File" of Windows, enter "_hook.dll" as the file name, and select the installation directory of Windows as the search location (by default, Win98/WinXP/Win7 is C:\Windows, and Win2000/WinNT is C:\Winnt).
3. After searching, we found a file named Game_Hook.dll in the Windows directory (excluding subdirectories).
4. According to the principle of grey pigeon, we know that if Game_Hook. DLL is a gray pigeon file, and there will be files from Game.exe and Game.dll in the operating system installation directory. Open the Windows directory, and sure enough, there are these two files, as well as a GameKey.dll file for recording keyboard operations.
After these steps, we can basically confirm that these files are gray pigeon trojans, and we can manually delete them below.
How to clean up the gray pigeon virus?
After the above analysis, it is easy to get rid of the gray pigeon. Removing grey pigeons still needs to be operated in safe mode, and there are two main steps:
Services for removing grey pigeons;
Delete the program file of Grey Pigeon.
Note: In order to prevent misoperation, backup must be made before cleaning.
The first is the service of removing gray pigeons.
Win2000/WinXP/Win7 system:
1. Open the Registry Editor (click Start-Run, enter "Regedit.exe" and confirm. ) Open HKEY Local Computer \ System \ Current Control Set \ service.
2. Click "Edit"-"Search" in the menu, enter "game.exe" in "Search Target", and click OK to find the service item of Grey Pigeon (in this case, game _ server);
3. Delete the entire game server project.
Second, delete the gray pigeon program file.
Deleting the program file of Grey Pigeon is very simple. Just delete the files of Game.exe, Game.dll, Game_Hook.dll and Gamekey.dll in the Windows directory in safe mode, and then restart the computer. At this point, the gray pigeons have been cleared away.
Here, we share the method of deleting grey pigeon virus in win 10 system. If a friend around you has a gray pigeon virus in his computer, please refer to the tutorial settings.