The name of the Trojan horse is taken from the Trojan horse of ancient Greek mythology. It is a hacking tool based on remote control. It is quite hidden and harmful to ordinary users. In order to achieve the purpose of controlling the server host, the Trojan often uses various means to achieve the purpose of activating itself and loading and running. Here, we briefly introduce the common activation methods of Trojans, their hiding places, and some examples to let you know how to manually remove Trojans.
;, in the general case, “=” is empty, if followed by a program, such as:
run=C:Windows ile.exe
load=C:Windows ile.exe
Then this file.exe is very likely to be a Trojan.
● Modify the file association in the Windows XP registry:
Modify the file association in the registry is a common means of Trojans, how to modify the method has been elaborated in the first few articles of this series. For example, under normal circumstances, the txt file is opened in Notepad.exe (Notepad), but once the file associated Trojan is infected, the txt file becomes a Trojan. For example, the famous domestic Trojan "glacial" is to change the key value of the registry key under the HKEY_CLASSES_ROOT xtfileshellopencommand subkey branch to the default value of "C:Windows otepad.exe %1" and change it to "C: WindowsSystemSysexplr.exe", so that when you double-click a txt file, the file that should have been opened with Notepad is now the startup Trojan. Of course, not only txt files, but also other types of files, such as htm, exe, zip, com, etc., are also the targets of Trojans. Be careful.
For this type of Trojan, you can only check the shell opencommand subkey branch of the file type in HKEY_CLASSES_ROOT in the registry to see if its value is normal.
●Bundle Trojan files in Windows XP system:
To achieve this trigger condition, the control terminal and the server have to establish a connection through the Trojan. The console user uses the tool software to bundle the Trojan file with an application. Together, uploading to the server overwrites the original file, so that even if the Trojan is deleted, the Trojan will be reinstalled as long as the application with the Trojan is run. If bundled on a system file, the Trojan will start every time Windows XP starts.
●Start the Trojan in System.ini:
The shell of the [boot] section in System.ini=Explorer.exe is the hiding place that Trojans like. The usual practice of Trojans is to change the statement like this:
Shell=Explorer.exe file.exe
The file.exe here is the Trojan server program.
In addition, in the [386enh] section, pay attention to check the "driver=path program name" in this section, because it is also possible to be used by Trojans. [mic], [drivers], [drivers32] These three sections are also to load the driver, so it is also an ideal place to add Trojans.
●Using Windows XP registry to load and run:
The following location in the registry is the hidden place for Trojans:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion subkey branch all key data items starting with “run”
HKEY_LOCAL_MACHINESOFTWARE under the MicrosoftWindowsCurrentVersion subkey branch, all the key value data starting with “run”
HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersion All key-value item data starting with “run” under the subkey branch.
●Loading the running Trojan in Autoexec.bat and Config.sys:
To establish the connection between the console and the server, upload the file with the same name of the Trojan startup command to the server to overwrite the two files. Ways to start a Trojan. However, it is not very concealed, so this method is rare, but it cannot be taken lightly.
●Start Trojan in Winstart.bat:
Winstart.bat is also a file that can be automatically loaded and run by Windows XP. Most of them are automatically generated by the application and Windows. Win.com or Kernel386.exe is executed. And start the execution after loading most of the drivers (this can be learned by pressing F8 at startup to select the step-by-step way to start the boot process). Since the function of Autoexec.bat can be replaced by Winstart.bat, the Trojan can be loaded and run as it is in Autoexec.bat.
General detection technology for Trojan viruses
Now, we already know the hiding place of Trojan horses. It is easy to kill Trojans. If you find that your computer has a Trojan horse, the safest and most effective way is to open the network segment immediately to prevent the computer hacker from attacking you through the network. Perform the following steps:
l Edit the Win.ini file and [Windows Under the section, "run=trojan program" or "load=trojan program" is changed to "run=”,“load=”.
l Edit the System.ini file and change the "shell=trojan file" under the [boot] section to <;shell=Explorer.exe”.
l Modify in the Windows XP registry: first find the file name of the Trojan in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun subkey branch, and find the Trojan in the entire registry, delete or replace it. But the awful thing is that not all Trojans can be deleted as long as they are deleted. Some Trojans will be added automatically when they are deleted. In this case, you need to record the location of the Trojan, its path and file name. Then retreat to the DOS system, find this file and delete it. Restart the computer and return to the registry again to delete the key entries of all Trojan files.