Judging viruses and Trojans from the process

Source: Internet
Author: User

Any viruses and Trojans exist in the system, can not completely and process out of the relationship, even if the use of hidden technology, but also can find clues from the process, therefore, viewing the process of the system activity is the most direct way to detect the virus Trojan. But the system runs at the same time so many processes, which is the normal system process, which is the process of Trojans, and often by virus Trojan fake system process in the system and play what role? Please read this article.

Three methods of virus process hiding

When we confirm that there is a virus in the system, but look through the process in the system through "task Manager" can not find a different process, which means that the virus has taken some hidden measures, summed up three methods:

1. The Genuine

The normal processes in the system are: Svchost.exe, Explorer.exe, Iexplore.exe, Winlogon.exe, and so on, you may have found such a process in the system: Svch0st.exe, Explore.exe, Iexplorer.exe, Winlogin.exe. By contrast, do you find the difference? This is a trick that the virus often uses to confuse the user's eyes. Usually they change the name of the normal process in the system to 0,l to I,i to J, then become their own process name, only a word difference, meaning is completely different. or more than one letter or one letter, such as Explorer.exe and Iexplore.exe would have been easy to confuse, and then the emergence of a iexplorer.exe is even more confusing. If the user is not careful, generally ignored, the process of the virus escaped a robbery.

2. Cynical

If the user compares forestall, then above this trick is useless, the virus will be on the spot FA-rectification. As a then, the virus also learn clever, understand the cynical this trick. If the name of a process is svchost.exe, it is no worse than the normal system process birthright. So is the process safe? No, actually, it just took advantage of the task manager's inability to see the flaw in the process's corresponding executable file. We know that the executable file for the Svchost.exe process is located in the "C:\WINDOWS\system32" directory (Windows2000 is the C:\WINNT\system32 directory) if the virus copies itself to "C:\WINDOWS\" , and renamed to Svchost.exe, after running, we see in the "Task Manager" is also svchost.exe, and normal system process is the same. Can you tell which is the process of the virus?

3. Reincarnated

In addition to the two methods above, the virus also has a trick to the ultimate-reincarnated. The so-called reincarnated is that the virus uses process insertion technology, insert the DLL files needed to run the virus into a normal system process, seemingly without any suspicious conditions, essentially the system process has been controlled by the virus, unless we use professional process detection tools, it is difficult to find the virus hidden in it.

System Process FAQ

There are many system processes mentioned above, what are the functions of these system processes and what are their operating principles? Below we will explain these system processes, we believe that after familiar with these system processes, can successfully solve the virus "genuine" and "cynical".

Svchost.exe

Viruses are often impersonating the process name: Svch0st.exe, Schvost.exe, Scvhost.exe. As Windows system services continue to increase, in order to save system resources, Microsoft has a lot of services into a shared way, to the Svchost.exe process to start. The system services are implemented as dynamic-link libraries (DLLs), which point the executable program to Scvhost, and the cvhost invokes the corresponding service's dynamic link library to start the service. We can open "control Panel" → "Administrative Tools" → services, double-click the "ClipBook" service, in its properties panel can find the corresponding executable path is "C:\WINDOWS\system32\clipsrv.exe". Double-click the "Alerter" service to find that its executable path is "C:\WINDOWS\system32\svchost.exe-k LocalService" and the "Server" service has an executable path of "C:\WINDOWS\ System32\svchost.exe-k Netsvcs ". It is through this call, you can save a lot of system resources, so the system appears a number of svchost.exe, in fact, just system services.

There are generally 2 svchost.exe processes in the Windows2000 system, one is the RPCSS (remoteprocedurecall) service process, The other is a svchost.exe shared by many services, while in Windows XP there are typically more than 4 Svchost.exe service processes. If the number of svchost.exe processes is more than 5, be careful, it is likely to be a fake virus, the detection method is also very simple, using some process management tools, such as the Windows Optimizer master's process management capabilities, to view the Svchost.exe executable path, if the "C:\ Windows\System32 "directory, then it can be judged to be a virus.

Explorer.exe

Viruses are often impersonating the process name: Iexplorer.exe, Expiorer.exe, Explore.exe. Explorer.exe is the "explorer" that we often use. If the Explorer.exe process ends in Task Manager, the taskbar, the desktop, and the open files all disappear, click task Manager → file → new task, and when you enter "Explorer.exe", the disappearing thing comes back again. The role of the Explorer.exe process is to let us manage the resources in our computers.

The Explorer.exe process is initiated with the system by default, and the path to the corresponding executable file is the "C:\Windows" directory, in addition to the virus.

Iexplore.exe

The process names that are often posed by viruses are: Iexplorer.exe, The Iexploer.exeiexplorer.exe process is very similar to the Explorer.exe process name above, so it's easier to mix, but Iexplorer.exe is a process generated by Microsoft Internet Explorer, That is, we usually use IE browser. Know the role of identification should be easier, Iexplorer.exe process name at the beginning of "ie", ie is the meaning of the browser.

The executable program for the Iexplore.exe process is located in the C:\ProgramFiles\InternetExplorer directory, and in other directories it is a virus unless you transfer the folder. In addition, sometimes we find that without the Internet Explorer, the iexplore.exe process still exists in the system, which can be divided into two cases: 1. Virus fake Iexplore.exe process name. 2. The virus secretly in the background through iexplore.exe do bad things. So this situation is still quickly use anti-virus software to kill it.

rundll32.exe

The process names that are often posed by viruses are: Rundl132.exe, Rundl32.exe. The role of rundll32.exe in the system is to execute internal functions in the DLL file, and how many Rundll32.exe processes exist in the system, indicating how many DLL files Rundll32.exe started. In fact rundll32.exe we will often use, he can control some of the system DLL files, for example, at the command prompt to enter "Rundll32.exe user32.dll,lockworkstation", after the carriage return, The system will quickly switch to the login interface. The Rundll32.exe path is "C:\Windows\system32" and in other directories it can be determined to be a virus.

Spoolsv.exe

The process names that are often posed by viruses are: Spoo1sv.exe, Spolsv.exe. Spoolsv.exe is the executable program of the system service "Print Spooler", which manages all local and network print queues and controls all printing work. If this service is deactivated, printing on your computer will not be available, and the Spoolsv.exe process will also disappear from your computer. If you don't have a printer device, turn off the service and save system resources. After stopping and shutting down the service, if the Spoolsv.exe process still exists in the system, it must be a virus disguise.

Limited to space, the introduction of common processes here, we usually in the process of inspection if found suspicious, as long as the basis of two points to judge: 1. Carefully check the file name of the process; 2. Check its path. Through these two points, the general virus process will certainly show a slip.

Find a good helper for the management process.

The system's built-in task manager function is too weak to be a virus-killing device. So we can use professional process management tools, such as Procexp. Procexp can differentiate between system processes and general processes, and differentiate them in different colors, leaving the virus processes of counterfeit system processes nowhere to be hid.

After the procexp is run, the process is divided into two large chunks, and the process under "system Idle process" belongs to the system process.

Explorer.exe "Subordinate processes belong to the general process. We have introduced the system process Svchost.exe, Winlogon.exe, etc. are subordinate to the "system Idle process", if you found in the "Explorer.exe" svchost.exe, then needless to say, it must be a virus to impersonate.

As for the virus using the "reincarnated"--dll insertion technology, we have explained the crack method, by looking at its DLL file signature can also be done in the PROCEXP, this no longer elaborated.

Tip: In the main interface of the software we may not see the process name and process of the corresponding executable file, we can click on its "View" menu → "select column", check "process name" and "Image path", OK to save.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.