Detection and elimination of dynamic embedded DLL Trojan viruses

Information Source: forum.maxthon.com

As MS's operating system transits from Win98 to Winnt (including 2 k/xp), MS's task manager is also reborn, become eye-catching (in WINNT, traditional Trojans can no longer hide their processes ), this makes it possible for a Trojan to be invisible from the task manager by registering a process as a system service under win98 to face an unprecedented crisis. Therefore, the trojan developer promptly adjusted the development idea, this is why this article discusses how to clear dynamic embedded DLL Trojans.

First, let's take a look at what is a Dynamic embedded Trojan. In order to continue hiding the process in the NT System, the trojan developers began to use the DLL (Dynamic Link Library) file, at first, they only wrote their own Trojans as DLL to replace the wsock32.dll function called for Win Socket1.x in the system (WS2_32.DLL is responsible for Win Socket2 ), in this way, remote control is implemented through the operation of the agreed function and the forwarding of unknown functions (when the DLL Trojan replaces wsock32.dll, it will be renamed for future function forwarding. Keys and other key processes that cannot be terminated are the favorites of the DLL horse, so that our DLL file will not appear in the task manager, but our DLL carrier EXE file. of course, through further processing of DLL Trojans, you can also implement other functions such as port hijacking/multiplexing (that is, the so-called "no port"), registration as a system service, multi-thread protection, and so on. In short, the DLL wood motor has never been concealed.

How can we find and clear the DLL Trojan?

I. Starting with the DLL file of the DLL Trojan, we know that system32 is a good place to hide and seek. Many Trojans are pointed to and drilled there, And the DLL horse is no exception, to solve this problem, we can record the EXE and DLL files in the directory after installing the system and necessary applications: Run CMD -- convert the directory to system32 -- dir *. exe> exeback.txt & dir *. run CMD -- fc exeback.txt exeback1.txt> diff.txt & fc dllback.txt dllback1. Txt> diff.txt.(use the fccommand to compare the preceding two DLL and EXE files and input the result to diff.txt). In this way, we can find multiple DLL and EXE files, then, by checking the creation time, version, compression, and so on, you can easily determine whether it has been patronized by the DLL Trojan. No is the best. If yes, do not directly drop the DLL. We can first move it to the recycle bin. if the system does not respond abnormally, delete it completely or submit it to the antivirus software company.

2. Some system key processes are the favorites of these Trojans, so once we suspect that the system has already entered the DLL Trojan, we must take care of these key processes, how to take care of it? Procedump.exe, a powerful shell removal tool, can help you see which DLL files are called by the process. However, due to the large number of DLL files called by some processes, it is unrealistic to verify them by ourselves, therefore, we will use an NT process written by shotgun/memory producer, ps.exe, and use the command ps.exe/a/m> to compare it, which can also narrow the scope of troubleshooting.

3. Do you still remember the port, one of the characteristics of the Trojan? All Trojans are connected as long as they accept/accept to view the process corresponding to the port, so that the scope can be reduced to a specific process, then it is easier to find the DLL Trojan with Procedump. of course, as mentioned above, some Trojans will communicate through port hijacking or port reuse. Common ports such as 139, 80, and 1443 are the favorites of Trojans. Even if you use the Port Scan software to check your own port, it is similar to TCP UserIP: 1026 ControllerIP: 80.

In the case of ESTABLISHED, you may think that you are browsing the Web page (the firewall will also think so ). Therefore, it is not enough to check the port. We need to monitor the port communication. This is the fourth point.

4. We can use the sniffer to find out what data is being transmitted on the opened port. By setting the NIC to the hybrid mode, all IP packets can be received. The sniffer program can select the parts worth attention for analysis. The rest is to decode the protocol according to the RFC document. In this way, you can determine the port used by the trojan. In combination with Fport and Procedump, we can find the DLL Trojan. IRIS is recommended for the sniffer, which is easy to use in the graphic interface.

5. We often say that we will habitually encounter luck in the Registry when scanning and killing Trojans. It may have been quite effective before, but if we encounter a trojan registered as a system service (principle: in systems such as NT/2 K/XP, the specified service program will be loaded when the system starts.) check at this time: Startup Group/Registry/autoexec. bat/win. ini/sysytem. ini/wininit. ini /*. inf (for example, autorun. inf)/config. no exception can be found in files such as sys. At this time, we should check the system service: Right-click my computer-Manage-services and applications-services, at this time, you will see more than 100 services (MS is also true, of which 75% are useless to individual users and can be disabled .), Take it easy to find out who is not pleasing to the eye. :) of course, if you have used the export list function to back up services before, by comparing files, you can easily find out which are external customers. In this case, you can record the file loaded by the Service, use srvinstw.exe in Resource kitsto remove the service and clear the loaded files.

After the above five steps, you can basically find and clear the sly dynamic embedded DLL Trojan. Maybe you also find that if you make some backup, it will be of great help to our Trojan search process, and of course it will reduce the workload of a lot of work.