(http://www.netadmin.com.cn/experience/20050112/4091.asp)
This article comes from the "Net Administrators' World" 2005 No. 1 Anti-Virus Anti-Virus In order to protect yourself, the Trojan will try to hide themselves. In the past, the Trojans are usually the "start", "Start" menu item or the registry entry and HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun items to start their own, and some Trojans will be registered as "service" program of the system, and those old methods, such as AUTOEXEC.BAT, CONFIG.SYS, WINSTART.BAT, WIN.INI, SYSTEM.INI, Wininit.ini and other files are even more familiar. However, with the development of Trojans, the hidden method of Trojans has become more and more high. The so-called "knowing yourself knowing each other, there is no war", to guard against "horse", of course, "know" horse first. Below, the author introduces you some of the novel Trojan hidden methods. Trojan in "Group Strategy"
It is very concealed by "Group Policy" to add Trojans, it is not easy to discover. The specific method is: Click "Run" in the "Start" menu, enter GPEDIT.MSC, open "Group Policy". Click "User Configuration" → Manage Templates → "System" → "Login" in Local Computer Policies, and then double-click "Run these programs when you log in", the dialog box appears, as shown in Figure 1 Indicated. figure 1
Attribute settings here, "Enabled" in Selected "Settings", click the "Display" button, will pop up "Display" window. Click the Add button, appear "Add Project" window, enter the path where you want to automatically run, click the "OK" button to restart your computer, and automatically run the system when you log in. Added procedures. Tip: If the self-started file is not in the% SystemRoot% directory, you must specify the full and effective path of the file. If we have just added Trojans in "Group Policy", there will be a "invisible" Trojan. In the System Configuration Utility Msconfig, we can't find the Trojan, because in the registry key, such as the HKEY_ CURRENT_USERSERSOFTWAREMICROSOFTWINDOWSCURRENTVERSION RUN INT and HKE_LOCAL_MACHINESOFTWAREMICROSOFT WindowsCurrentVersionRun items, the corresponding key value is not found. Therefore, this way of loading Trojans is very concealed, and the cloth of ordinary users is very large. In fact, self-starting procedures added in this way are still recorded in the registry, just under the registry clause we are familiar with, but is loaded in the HKEY_CURRENT_USERSEFTWARE Microsoft WindowsCurrentVersionPoliciexPlorerRunpoliciexPlorerRunpoliciexPlorerRun item in the registry. So, if you suspect that there is a Trojan in your computer, you can't find it, you can go to the above registry key, or to "Group Policy" "User Configuration → Management Template → System → Login "Run these programs when you log in", maybe it will be found. Hidden murder registry key
Using the registry key to load Trojans have always been the favorite of Trojans, and a means we are familiar with, but there is a new way to use registry to hide Trojans. You may not know. The specific method is to click "Run" in the "Start" menu, enter regedit, open the registry editor. Expand the Registry to HKEY_CURRENT_USERSOFTWARE MicrosoftWindows NTCurrentVersionWindows item, create a new string value, named "LOAD", change its key value to the path to start the program. Tip: To use the short file name of the file, "C: Program Files" should be written as "C: Progra ~ 1", and there is no parameter behind the startup program. If you change the registry HKEY_USERS User ID Software MicrosoftWindows NTCurrentVersionWindows item, this method is also valid for other users, otherwise it will be used to log in. Load Trojans in this way, you will not be able to see the Trojan program is loaded in the "Power Optimization" option of Windows Optimization Master. If you are using the people who use it here to load malicious programs or Trojans, the threat to everyone will be large. It is recommended that you check the Trojan and virus programs later, pay special attention to this part, do not give others a machine. In addition, this method is only valid for Windows 2000 / XP / 2003, and users who use Windows 9x don't have to worry. Using autorun.inf to load Trojan
Friends who often use CD know that some CD will be automatically run after being placed in the optical drive. The implementation of this function is mainly by two files, one is CDVSD.vxd, one of the system files, one is the autorun.inf file on the CD. . Cdvsd.vxd will detect whether there is an action in the disc in the disc in the optical drive at any time. If so, look for the autorun.inf file under the root directory of the CD. If there is, the preset program inside is executed. However, autorun can not only be applied to the disc, but also can be applied to the hard disk (to be noted that autorun.inf must be stored in the root directory). Let's take a look at the contents of the autorun.inf file. Open a notepad, create a file, name it autorun.inf, type the following in autorun.inf: [Autorun] icon = C: Windowssystemshell32.dll, 21Open = C: Program filesAndseEACDSEE.EXE, "[Autorun] "It is necessary to fix the format, a standard autorun file must start with it, the purpose is to tell the system to execute the command below; the second line" icon = c: windowssystemshell32.dll, 21 "is to the hard disk or CD A personalized icon, "shell32.dll" is a system file containing a lot of Windows icons, "21" indicates the icon named 21, and countless numbers, the first icon in the file; the third line "open = C: program filesacdseeacdsee.exe pointing out the path to run the program and its file name. If the Open is converted to a Trojan file, and set this autorun.inf file to hide properties, we will start the Trojan when you click on the hard drive. To prevent such a "ambush", the hard disk Autorun function can be prohibited. Enter regedit in the "Start" menu, open the Registry Editor, expand to the HKEY_CURRENT_USERSERSETVERSIONPOLICROFTWINDOWSCURRENTVERSIONPOLICIESEXPLOER key key, find "NODRIVETYPEAUTORUN" in the right window, which is determined whether or not the CDROM or hard drive is executed. Change its key value to 9D, 00,00, and you can turn off the autorun feature of the hard disk if it is changed to B5, 100, 100, and the autorun function of the disc is disabled. After the modification restarts the computer, the settings will take effect. Screen protection may also become a hippo
The Windows screen saver corresponds to the .scr file, which is the executable of the PE format, saved in the Windows installation directory by default. If the .scr is renamed .exe file, the program can still start normally, .exe file is renamed .scr file can still be run. By the way, rename the .exe file to .com, .pif, .bat, the EXE file is still free to run. This is very useful after the exe file is associated. In the screen saver, we can set its waiting time, this startup time is actually set in the registry. In the registry key_users.defaultControl Panelsktop, the string value ScreenSavetimeout records is the wait time of the screen saver, the time unit is second, starting from 60 seconds, and if the recording time is less than 60 seconds, it is automatically set to 1 minute. Tip: Do you have a screen saver that can be seen in the System.ini file. Enter msconfig in the "Start" menu, find the System tab, find the [boot] section inside, you can see "Scrnsave.exe =". It is behind it is the path to the screen. If you set a screensaver, there will be a "√" in front of this line, and there is no "√". A Lenovo can be produced by the above introduction: if the .exe file is renamed the .scr file (assuming to Trojan.SCR), add "Scansave.exe = C: Program Files Rojan.SCR" in System.ini , Then modify the string values ScreenSavetimeout under the HKEY_USERS.DEFAULTCONTROL Panelsktop in the registry, change its key value to 60, and the system will be activated as soon as it is idle for one minute. The method of preventing such an attack is tobontanize the use of screen protection. To disseminate the screen protection function in one time, you can implement it by modifying the registry. Open the Registry Editor, find the HKEY_CURRENT_USER CONTROLPANELDESKTOPSCREENSAVEAFPANELDESKTOPSCREENSAVEAVE subkey, change "ScreenSaveActive" to "0", you can ban the screen protection function. Trojan in the control panel
The various options of the control panel are actually existing in a file that is called CPL, plus the Control.exe and Control.ini files in the Windows installation directory, constitutes all of the control panels. Each CPL file corresponds to an option in the Control Panel, such as Desk.cpl, corresponds to "Desktop Properties", INTCPL.CPL corresponds to "Internet Properties". Due to the particularity of the .CPL file, you need to use Rundll32.exe to start the file, in other words, any of the options in the control panel can be called via Rundll32.exe. A powerful feature of Rundll32.exe is the management of the control panel, with the format of the control panel program is as follows: In the "Start" menu "Run" or the command line "Rundll32 shell32.dll, control_rundll * .cpl , X ". Among them, shell32.dll is called DLL file, meaning to call the Control_Rundll in Shell32.dll to open the Desk.cpl file; "*. CPL" path and file name for the CPL file you want to call; and "x" For the number of pages corresponding to the CPL file, from 0, 0 is the first page (such as Desk.cpl, 0 "Background") of "Display Properties"), 1 is the second page (such as Desk.cpl, 1 means "Display Properties" "screen saver"), so on. Tip: There is only "Separate," separated, and there is no space after both ",", if you go wrong, if you go wrong, you will not get any tips. Based on the principles above, we can write a control panel that useless or hidden windows to write it into the registry startup item, so that you can start. If the control panel you have written is a Trojan, not only the Sino-Trojan can't find that the software that is dedicated to Killing Trojan, but also measures. The specific step is to join Rundll32 shell32.dll, control_rundll mycpl.cpl in the registry launch item, so that this mycpl.cpl will be called when the user machine is started. (Note: If mycpl.cpl is saved in the default directory, you can do not add the path directly, otherwise you must add a path.) Control Panel will load all * .cpl files in the system subdirectory when executed, so just put this CPL Trojans can achieve the goality in the System (Windows 9x) or System32 (Windows 2000 / XP) subdirectory. To remind everyone, if mycpl.cpl is really a Trojan, then others will give it a name, or replace those uncommon files in the system, so that you are obeying. Is it only loaded with the CPL file in SYSTEM (Windows 9x) or System32 (Windows 2000 / XP) subdirectory? the answer is negative. If your control panel is not in a Windows directory, assume that under D: OK, you want it to display in the control panel, just edit the Control.ini file, add "MyCPL.cpl = D: Okmycpl in the [MMCPL] section. CPL "is OK. If you don't want the CPL file to be displayed in the control panel, you still have to start from the Control.ini file, just add "mycpl.cpl = no" in the [Don't load] section, this mycpl.cpl file will not be loaded .
If someone uses this way to attack, the prevention method is to check the startup items of the registry, and found that the .cpl file that is called by Rundll32.exe is innocent. After deleting this registry key value, you have to click the path to find the CPL file and remove it. Trojan hidden in the terrible super long catalog
Give us the people who want to hide the Trojan file in our computer, they will race their brains and use the Windows system to build a long directory and then hide Trojans is one of the means. We can do such a trial: Open "Explorer", create a directory in any disk (assuming is an E disk), assume it as a good, then enter this directory, then build a subdirectory, assume 123, Then create a subdirectory TEST in the 123 subdirectory, and now the absolute path of this Test is: E: Goods EST. Next, copy the catalog and files you want to hide and files under the Test subdirectory. Then click the "Up" button to the 123 subdirectory, click on the right mouse button, select "Rename" in the pop-up menu, change this 123 subdirectory to "1111 ... 1111", write how long can write how long how long. Next, click the "Up" button to go to the good directory, use the same way to rename it, assume that the name is Goodluck123, now the absolute path of the Test subdirectory is E: GoodLuck123i1 ... 1111 EST. At this time, when you want to access the directory, a prompt will appear: This folder cannot be accessed, the path is too long, as shown in Figure 2. Figure 2 And, this directory cannot see the content inside under the window interface, which is the same under DOS, so that the directory and files inside are subtly hidden. Who can think of there will be a Test subdirectory inside, who can think of files and folders in the Test subdirectory? Trojan files have been hidden in this way. Why is this so? In fact, this is just a small bug with a Windows system, that is, the absolute path of the Windows directory cannot exceed 254 characters. If the absolute path of the catalog is more than 254 characters, the system is not seen. Converse, the system does not allow you to create a directory for more than 254 characters directly, and what we do in front is to built a directory, and its absolute path exceeds 254 characters, so others can not access it. The subdirectories and files contained in it, hide the directory and files in a variety of files. What is even better, the entire directory cannot be deleted directly. One window will pop up when deleting operations, prompting us "Unable to delete *. *: Can't find the file. Please determine if the specified path and file name are correct, under DOS Or use the tool software Windows Commander or the like that is also unable to delete the directory. Let us use other software to view the effect of using this method to hide Trojans. Everyone knows that the general hidden file or directory method, such as a special space method, set a blank icon method to the folder, modify the registry hidden directory method, etc., will be in the file management software Windows Commander, see the picture software ACDSEE or compression software The original shape is exposed in Winzip or WinRAR. The catalog hidden by this method will not be displayed in the above software, which can only see the previous directory of the protected folder, and cannot see hidden content. Take Acdsee as an example, the left window has a Windows tree directory structure, and the right main window can display files in the folder, including files with "hidden" properties. Find the E disk we hide the directory and files, see, you can't see the Test directory in the Goodluck123 folder, as shown in Figure 3. Similarly, the content of the folder cannot be scanned using anti-virus software, and the directory cannot be deleted in the Explorer. In order to better hide Trojan files, intruders may also change slightly on the basis of this method.
For example, enter the C: ECYCLED (Recycle Bin) directory, establish a long directory in writing, and move the Trojan file to be hidden to, press the right button after selecting these files, select in the pop-up menu "Properties", set their properties to "hide", so that these files are not seen in Windows, and the empty recycle bin still exists. Moreover, intruders can also achieve such effects using special folders, such as C: Windows ONTS, and the like. Figure 3 This next modifies the registry and makes the file more thoroughly hide. Enter "Start", "Run" menu Regedit, open the registry editor, to expand the branch HKEY_LOCAL_MACHINESoftwareMicrosoftWindows CurrentVersionexplorerAdvancedFolderHiddenSHOWALL, modify keys CheckedValue DWORD value is 0 (the default is 1, without this DWORD value, New), such as As shown in Figure 4, close the registry editor, press the F5 key to refresh the desktop, which is hidden. After we enter the recycling station of hidden files, we will not see anything. Figure 4 With this method hidden directory and files are very clever, there are three: First, others can't think of the recycle bin to hide the secret; second, these hidden documents and catalogs are more concealed after modifying the registry, and I can't find it at all in Windows. Third, even if these hidden directories and files are found, it will not be able to enter the directory due to the absolute path too long. This allows Trojans to "live in peacekeeping" in our computer. The other party must establish such a special directory in our computer, so we must make a remote operation, so we must make a patch to the system in time, block the system vulnerability, and install the network firewall, not to browse the webpage that you don't know. If you don't want to view unfamiliar emails, do it safely to ordinary users. If there is such a special folder in the system, as long as the outermost directory is renamed, it is more important to rename GoodLuck123 to g, and then enter the next level directory, and then enter the Test subdirectory to perform related operations. Of course, you can also write a program to read this directory. Trojan's use of documentation
We know that the program can be loaded under the registry hkey_local_machine software SoftwareRun, which is automatically run when it is turned on. There are several sub-keys such as "Run", and they are starting with "run", such as Runonce, RunServices, etc. In addition to this method, there is a way to modify the registry can also make the program since start. Specifically, it is to change the open mode of the file so that the program will start with the type of file you open. For example, open the registry, expand the registry to HKEY_CLASSES_ROOTEXEFIESHELLOPENCOMMAND, here is the Open mode of the EXE file, the default key value is: "% 1"% *. If the default key value is changed to Trojan.exe "% 1", you run an Exe file each time you run. The wooden horse gray pigeon uses an open way of associating the EXE file, and the famous Trojan ice is also using this similar trick-related TXT file. To deal with this hidden approach, it is mainly to check the registry, and whether the open mode of the document has changed. If a change has changed, it will be changed. It is best to return to the registry frequently and find the backup file immediately after the problem is found, which is convenient, fast, safe and safe. Trojan's use of equipment name
Everyone knows that the file or folder cannot be named in the device name under Windows. These device names mainly have AUX, COM1, COM2, PRN, CON, NUL, etc., but Windows 2000 / XP has a vulnerability to name the file with device name. Or folders, let Trojans can hide there without being discovered. The specific method is to click "Run" in the "Start" menu, enter cmd.exe, enter the command prompt window, then enter the MD C: CON / command, you can create a directory called CON. By default, Windows is unable to build such directories, which is using Windows vulnerabilities. We can build this directory. Try again to enter the MD C: AUX / command, you can create a AUX directory, enter the MD C: PRN / can establish a PRN directory, enter the MD C: COM1 / directory to create a COM1 directory, and enter MD C: UL / you can create one Directory named NUL. Try to try in the resource manager, you will find that when we try to open a folder named by AUX or COM1, Explorer.exe lost its response, and many "Wrangler" use this method to hide Trojans in this class. In the folder, thereby reaching the purpose of hiding and protecting the Trojan. Now, we can copy the file to this special directory, of course, you can't copy directly in Windows, you need to use a special method, enter your copy muma.exe /.c :aux/ command in the CMD window, you can put Trojan Document MUMA.EXE Copy the AUX folder under the C disc, then click "Run" in the "Start" menu, enter C: Aux Muam.exe in "Run", will start the Trojan. We can enter such special directories by clicking the folder name, but if you want to try to delete it in the Explorer, it will find that this is futile, and Windows will not find the file. Since the use del c: AUX / command can delete the Muma.exe file, in order to achieve better hidden and protection, the lower trumper will also rename the muma.exe file, so that it is difficult to delete. The specific method is to use the command copy muma.exe /.c:con.exe when copying Trojan files to the AUX folder, and can copy the Trojan file MUMA.EXE to the AUX directory and is renamed to con.exe, while CON. The EXE file is unable to be deleted with a normal method. There may be some friends will think, this con.exe file cannot run in the "run" menu. In fact, you can run this program as long as you enter cmd / c /.c:Con under the command line mode. There will be a CMD window flashing at runtime. The lower Trojan generally improves it, there are many ways, and the boot script can be used, and the cmd.exe's autorun: in the registry HKEY_LOCAL_MACHINESOFTWaremicrosoft Command Processor Building a string autorun, the value is to run .bat file or .cmd file path, such as C: WinntSystem32auto.cmd, if the corresponding file is established, its content is @ /. C: Con, you can achieve hidden effect. For such special folders, we can use the following method to delete it: first use the del /.c:con.exe command to delete the con.exe file (this file is assumed is where the Trojan file name), then use The rd /.c:aux command deletes the AUX folder. Ok, the article is over here.
