Bypassing active defense Trojan virus piercing Kaspersky

The safety clinic's duty doctor Sails, is inquiring some information. Then push the door into a sick man. The patient said he had recently been robbed of a number of Internet accounts associated with himself and wanted to see what was the reason for the doctor.

Zhang Fan asked the patient has not installed anti-virus software. Patients said they installed antivirus software is the latest version of Kaspersky, not only on a daily basis to update the virus library, and also played a system of all patches.

Listen to the patient's story, Zhang Fan said: In the exclusion system loopholes, can bypass Kaspersky Defense Trojan is only evilotus.

Evilotus Trojan File

Evilotus Trojan Horse is a "step of the lake" launched a domestic Trojan program. This new Trojan program not only uses a rebound connection, thread insertion, service startup, such as mature Trojan technology, but also some original Trojan technology. For example, it has the SSDT recovery function, through it can easily bypass Kaspersky's defensive function, the implementation of Kaspersky anti-virus software immune.

Connection ports cannot be avoided

Zhang Fan understand that all the Trojan as long as the successful connection, receive and send data will inevitably open the system port, that is, the use of threading Technology Trojan Horse is no exception. He is ready to view the open port through the system's netstat command.

To prevent other network programs from interfering with your work, first turn these programs off, and then open a command Prompt window. Dr. Fan. Enter the "Netstat-ano" command in the command Line window so that all connection and listening ports are displayed quickly. Dr. Zhang found in the list of connections that a process is being externally connected, and that the process has a PID of 1872 (Figure 1).

Search the horse by the clues

Since the important information has been obtained, we now run the Trojan Helper Finder, click on the "Process monitoring" tab to find the suspicious svchost process through the PID value.

Selecting the process, looking in the module list below, quickly finds a suspicious DLL file that has no "company" or "description" information, and therefore concludes that this is a Trojan server file (Figure 2). See the Trojan using thread insertion technology and inserting the system's svchost process.

After the successful process of finding the Trojan, Dr. Zhang began to look for the launch of the Trojan Horse. Run System Repair Engineer (SRE), and click the "Start Project → service →win32 Service Application" button in turn.

When you select the "Hide Microsoft Services" option in the pop-up window, the program automatically blocks the publisher from being Microsoft, and soon the Doctor discovers a startup service with the same name as the Trojan file (Figure 3), and therefore concludes that this is the start of the Trojan.

The removal of the Trojan

Trojan Helper Finder in the "Process monitoring" tab, through the PID value found by the Trojan program to use the Svchost process, select it, click the "terminate the selected Process" button can terminate the process. Select the "Background service Management" option in the "Startup Item Management" tab to find the Trojan's startup entry in the list of services, and select the "Remove Service" button.

Now open Registry Editor, then click the "Find" command on the "Edit" menu, enter the name of the Trojan file you just found in the pop-up window, and then modify or delete it when you find the item related to the Trojan file name (Figure 4). Finally, we entered the system's System32 directory, and the server-side related files deleted to complete the service side of the cleanup work.