Trojan horse, a killer hidden in XP

There are so many kinds of viruses, we accidentally make our computer a virus, and the Trojan horse is a kind of virus, but it is a kind of remote control. The hacking tool, its aggressiveness and harmfulness is not generally large. If you are using an XP system, you should be especially careful. This system is the easiest to target, so we must learn to eliminate Trojans to protect the system.

Troubleshoot the Trojans

1. Start the Trojan in win.ini:

In the [windows] section of win.ini there is a start command “load= ” and “run=”, in the general case, “=” is empty, if followed by a program, such as:

run=c:windows ile.exe

load=c:windows ile.exe

Then this file.exe is probably a Trojan.

2. Modify the file association in the Windows XP registry:

Modifying the file association in the registry is a common means of Trojans. How to modify it has been in the first few articles of this series. Explain. For example, under normal circumstances, the txt file is opened in Notepad.exe (Notepad), but once the file associated Trojan is infected, the txt file becomes a Trojan. For example, the famous domestic Trojan "glacial" is to change the key value of the registry key under the HKEY_CLASSES_ROOT xtfileshellopencommand subkey branch to the default value of "C:Windows otepad.exe %1" and change it to "C: WindowsSystemSysexplr.exe", so that when you double-click a txt file, the file that should have been opened with Notepad is now the startup Trojan. Of course, not only txt files, but also other types of files, such as htm, exe, zip, com, etc., are also the targets of Trojans. Be careful.

For this type of Trojan, you can only check the shell opencommand subkey branch of the file type in HKEY_CLASSES_ROOT in the registry to see if its value is normal.

3. Bundle Trojan files in Windows XP system:

To achieve this trigger condition, the control terminal and the server must first establish a connection through the Trojan, and the console user can use the tool software to generate the Trojan file. Bundled with an application, uploaded to the server to overwrite the original file, so even if the Trojan is deleted, as long as the application with the Trojan is run, the Trojan will be reinstalled. If bundled on a system file, the Trojan will start every time Windows XP starts.

4. Start the Trojan in System.ini:

The shell of the [boot] section in System.ini=Explorer.exe is the favorite place for Trojans. The usual practice of Trojans is Change this statement to this:

Shell=Explorer.exe file.exe

The file.exe here is the Trojan server program.

Also, in the [386enh] section, be sure to check the "driver=path program name" in this section, as it may also be used by Trojans. [mic], [drivers], [drivers32] These three sections are also to load the driver, so it is also an ideal place to add Trojans.

5.Using Windows XP registry to load and run:

The following location in the registry is the favorite place for Trojans:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion subkey branches all under " ;run” The key value item data at the beginning.

HKEY_LOCAL_MACHINESOFTWARE MicrosoftWindowsCurrentVersion subkey branch all key data items starting with “run”

HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersion subkey branch all key data items starting with “run”

6. Load the running Trojan in Autoexec.bat and Config.sys:

To establish the connection between the console and the server, upload the file with the same name of the Trojan startup command to the server. Two files are required to start the Trojan in this way. However, it is not very concealed, so this method is rare, but it cannot be taken lightly.

7. Start Trojan in Winstart.bat:

Winstart.bat is also a file that can be automatically loaded and run by Windows XP. Most of the time, it is automatically generated by the application and Windows. Win.com or Kernel386.exe, and after loading most of the drivers, start execution (this can be done by pressing F8 at startup to select the step-by-step way to start the boot process). Since the function of Autoexec.bat can be replaced by Winstart.bat, the Trojan can be loaded and run as it is in Autoexec.bat.

General Inspection Technology

Now that we know the hiding place of the Trojan, it is easy to kill the Trojan. If you find that your computer has a Trojan horse, the safest and most effective way is to immediately open the network segment to prevent computer hackers from attacking you through the network. Perform the following steps:

l Edit the Win.ini file. Change the "run=trojan program" or “load=trojan program> under the [Windows] section to “run=”,“load=”.

l Edit the System.ini file and change the "shell=trojan file" under the [boot] section to <;shell=Explorer.exe”.

l Modify in the Windows XP registry: first find the file name of the Trojan in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun subkey branch, and find the Trojan in the entire registry to delete or replace it. But the awful thing is that not all Trojans can be deleted as long as they are deleted. Some Trojans will be added automatically when they are deleted. In this case, you need to record the location of the Trojan, its path and file name. Then retreat to the DOS system, find this file and delete it. Restart the computer and return to the registry again to delete the key entries of all Trojan files.

Although Trojans invade our computers, we were not easy to detect before, and they always take the technology of assault, because we need to be vigilant in our daily use of computers, we need to be patient. Troubleshoot issues, protect our systems, and keep our money safe.