How to prevent ASP Trojan Horse related

Modify three components to achieve an ASP Trojan attack. The FileSystemObject component---General operation of the file. The Wscript.Shell component---can invoke the system kernel to run DOS commands. Shell.Application Components--You can call the system kernel to run DOS commands.

I. Using the FileSystemObject component

1. You can change the registry, the component renamed to prevent the harm of such Trojans.

Hkey_classes_root\scripting.filesystemobject\ renamed to other names, such as: to filesystemobject_good their own later call to use this can normally call this component.

2. Also want to also change the CLSID value hkey_classes_root\scripting.filesystemobject\clsid\ items can be deleted, to prevent the harm of such Trojans.

3. Unregister this component command: regsrv32/u C:\WINNT\SYSTEM\scrrun.dll If you want to recover, just remove/u to re-register the above related ASP components

4. The guest user is prohibited from using Scrrun.dll to prevent calls to this component command:

cacls c:\winnt\system32\scrrun.dll/e/d Guests

Two. Using the Wscript.Shell component

1. You can change the registry, the component renamed to prevent the harm of such Trojans.

Hkey_classes_root\wscript.shell\ and hkey_classes_root\wscript.shell.1\ renamed to other names, such as: Change to Wscript.shell_ ChangeName or Wscript.shell.1_changename

You can call this component normally using this when you call it later.

2. Also change the CLSID value to the value of the hkey_classes_root\wscript.shell\clsid\ item hkey_classes_root\wscript.shell.1\clsid\ the value of the item

It can also be deleted to prevent the harm of such Trojans.

Three. Using the Shell.Application component

1. You can change the registry, the component renamed to prevent the harm of such Trojans.

Hkey_classes_root\shell.application\ and hkey_classes_root\shell.application.1\ renamed to other names, such as: Change to Shell.application_ ChangeName or

Shell.application.1_changename

You can call this component normally using this when you call it later.

2. Also change the CLSID value to the value of the hkey_classes_root\shell.application\clsid\ item hkey_classes_root\shell.application\clsid\ the value of the item

It can also be deleted to prevent the harm of such Trojans.

3. The guest user is prohibited from using Shell32.dll to prevent calls to this component command:

cacls c:\winnt\system32\shell32.dll/e/d Guests

Four. Call Cmd.exe

Disable Guests group user invoke Cmd.exe command:

cacls c:\winnt\system32\cmd.exe/e/d Guests

Five. Other hazardous component treatment:

ADODB.stream (CLASSID:{00000566-0000-0010-8000-00AA006D2EA4})

Wscript.Network (CLASSID:093FF999-1EA0-4079-9525-9614C3504B74)

Wscript.network.1 (CLASSID:093FF999-1EA0-4079-9525-9614C3504B74)

As a general rule, these components will not be done. Delete it directly. If there are some Web page ASP programs using the above

components, you can use the component name that we changed when you write the ASP code. Of course, if

Are you sure your ASP program does not use the above components, or directly delete the heart of some practical.

Quick Delete method:

Start--run--regedit, open Registry Editor, press Ctrl+f to find, enter above

Wscript.Shell the name of the component and the corresponding ClassID, and then delete or change the name.

We can practice it by ourselves, and it will not achieve the desired effect.