System Trojan hidden tricks and inspection methods to remove
陳健 Chen Jian
05計算機班商務學院新疆財經大學 05 computer classes Xinjiang University of Finance and Economics College of Business
402444206@qq.com
摘要:現在網絡中木馬種類和數量越來越多,如何發現和清除它們是壹項艱難的工作。 Abstract: The Trojans are now the network types and quantities of more and more, how to find and remove them is a difficult task.
關鍵字:系統木馬檢查清除 Keyword: Trojan check clearance system
1.前言 1. Preface
系統中“木馬”是壹件很頭疼的事情,下面我們先介紹木馬程序的隱藏伎倆、自動加載方法,在介紹針對這些伎倆的應對辦法。 System, "Trojan Horse" is a very troublesome thing, the following, we first introduced the Trojans hidden tricks, automatic loading methods, introducing the trick for these responses.
2.
“木馬”程序隱藏自己的辦法“木馬”程序會想盡壹切辦法隱藏自己,其主要途徑有: "Trojan horse" program to hide their methods "Trojan horse" program would leave no stone unturned to hide themselves, their main way to include:
1.任務欄中隱藏自己:這是最基本的,只要把Form的Visible屬性設為False、ShowInTaskBar設為False,程序運行時就不會出現在任務欄中了。 1. Taskbar hide themselves: This is the most basic, as long as the Form's Visible property to False, ShowInTaskBar is set to False, is running will not appear in the tray.
2.在任務管理器中隱形:木馬只要將程序設為“系統服務”就可以很輕松地偽裝自己。 2. In Task Manager stealth: as long as the Trojan horse program is set to "ecosystem services" can easily camouflage themselves. 當然它也會悄無聲息地啟動,用戶不會每次啟動後再自己點擊“木馬”圖標來運行服務端,所以“木馬”會在每次用戶啟動時自動裝載服務端,Windows系統啟動時自動加載應用程序的方法,“木馬”都會用上,如:啟動組、win.ini、system.ini、註冊表等等都是“木馬”藏身的好地方。 Of course, it will quietly start, users will not always start after its own click on the "Trojan horse" icon to run the service side, the "Trojan horse" each time a user will start automatically when loaded server, Windows system starts up automatic load application methods, "Trojan horse" may need to use, such as: Start Group, win.ini, system.ini, registry and so on are "Trojan horse" a good place to hide.
查看“木馬”是否自動加載在win.ini文件中,在[WINDOWS]下面,“run=”和“load=”是可能加載“木馬”程序的途徑,必須仔細留心它們。 See "Trojan" is automatically loaded in the win.ini file in the [WINDOWS] below, "run =" and "load =" it is possible to load the "Trojan horse" program means that they must be carefully carefully. 壹般情況下,它們的等號後面什麽都沒有,如果發現後面跟有路徑與文件名不是妳熟悉的啟動文件,妳的計算機就可能中上“木馬”了。 Under normal circumstances, they have nothing to equate the back, if we find that followed the path and file name is not familiar with your startup files, your computer may be in the "Trojan horse" of the. 當然妳也得看清楚,因為好多“木馬”,如“AOLTrojan木馬”,它把自身偽裝成command.exe文件,如果不註意可能不會發現它不是真正的系統啟動文件。 Of course, you have to take a closer look, because a lot of "Trojan horse", such as "AOLTrojan Trojan horse", which itself disguised as command.exe documents, attention may not be found if it is not a real system startup files. 在system.ini文件中,在[BOOT]下面有個“shell=文件名”。 In the system.ini file in the [BOOT] Here there is a "shell = file name." 正確的文件名應該是“explorer.exe”,如果不是“explorer.exe”,而是“shell=explorer.exe程序名”,那麽後面跟著的那個程序就是“木馬”程序,就是說妳已經中“木馬”了。 The correct file name should be "explorer.exe", if not "explorer.exe", but "shell = explorer.exe program name," then followed that procedure is the "Trojan horse" program, that is to say you have the " Trojan horse "of the. 在註冊表中的情況最復雜,通過regedit命令大開註冊表編輯器,在點擊至:“HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun”目錄下,查看鍵值中有沒有自己不熟悉的自動啟動文件,擴展名為EXE,這裏切記:有的“木馬”程序生成的文件很像系統自身文件,想通過偽裝蒙混過關,如“AcidBatteryv1.0木馬”,它將註冊表“HKEY-LOCAL-MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun”下的Explorer鍵值改為Explorer=“C:WINDOWSexpiorer.exe”,“木馬”程序與真正的Explorer之間只有“i”與“l”的差別。 In the registry of the most complex, through the regedit command open Registry Editor, click to: "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" directory to see there do not have their own keys are not familiar with the automatic startup file, extension EXE, bear in mind here: Yes, "Trojan horse" program to generate a document similar to the system's own documents, trying to muddle through camouflage, such as "AcidBatteryv1.0 Trojan horse" that it would registry "HKEY-LOCAL-MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun" under the Explorer key replaced Explorer = "C: WINDOWSexpiorer.exe", "Trojan horse" program with the real Explorer only between the "i" with "l" difference. 當然在註冊表中還有很多地方都可以隱藏“木馬”程序,如:”HKEY-CURRENT-USERSoftwareMicrosoftWindowsCurrentVersionRun”、“HKEY-USERS****SoftwareMicrosoftWindowsCurrentVersionRun”的目錄下都有可能,最好的辦法就是在“HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun”下找到“木馬”程序的文件名,再在整個註冊表中搜索即可。 Of course, in the registry there are many places to hide, "Trojan horse" programs, such as: "HKEY-CURRENT-USERSoftwareMicrosoftWindowsCurrentVersionRun", "HKEY-USERS **** SoftwareMicrosoftWindowsCurrentVersionRun" directory may be the best way is to "HKEY-LOCAL-MACHINESoftwareMicrosoftWindowsCurrentVersionRun" find "Trojan horse" program file name, then you can search the entire registry. 查殺“木馬” 知道了“木馬”的工作原理,查殺“木馬”就變得很容易。 Killing "Trojan horse" to know the "Trojan horse" of the working principle, killing "Trojan horse" has become very easy. 如果發現有“木馬”存在,最安全也是最有效的方法就是馬上將計算機與網絡斷開,防止黑客通過網絡對妳進行攻擊。 If it is found that a "Trojan horse" the existence of the safest and most effective way is to immediately disconnect the computer and network to prevent hackers through the network of your attacks.
夠清楚了吧