⊙ Tool Introduction The symptoms of a computer infected with the Arp spoofing virus (Trojan) are as follows:When the machine starts to access the Internet, it continuously sends Arp spoofing packets, that is, it sends Arp packets to other machines in the same subnet with a fake Nic physical address, or even spoofs other machines with the physical address of the subnet gateway, change other machines in the network to access the Internet through the virus host. During the switchover from the real gateway to the fake gateway, other machines will be disconnected once. If the virus machine suddenly shuts down or goes offline, the other machine will re-search for the real gateway, and the network will be disconnected again. Therefore, as long as one or more of these virus machines exist in a subnet, the Internet access of others will be interrupted. In severe cases, the entire network will be paralyzed. In addition to affecting others' Internet access, this virus (Trojan) also steals user accounts and passwords (such as accounts and passwords for QQ and online games) from virus machines and other machines in the same subnet) for the purpose, and it sends Arp packets, it has a certain level of confidentiality, if the system resources are not very large, and there is no anti-virus software monitoring, the general user is not easy to notice. At the beginning of the school year, the virus mainly occurred in the Student Dormitory. According to a recent survey, it has been spreading to the office area and the residential area of instructors, and is becoming increasingly popular. The Symantec Antivirus Software Enterprise Edition 10.0 provided by the school can effectively detect and kill known Arp spoofing virus (Trojan) viruses. Malware is not clearly defined internationally. Currently, no anti-virus software can provide a 100% solution to prevent attacks. Therefore, some auxiliary tools must be used to clean up malware. Arp virus prevention Solution To reduce the impact of machines infected with the Arp spoofing virus (Trojan Horse) on normal machines accessing the internet, users must statically bind the IP address and physical address of the Gateway. The specific operation is as follows: When you can access the Internet normally, enter the MS-DOS window, enter the command: arp-a, view the correct physical address corresponding to the gateway IP address, and record it. If you are not sure whether the physical address of the gateway is the actual physical address of the gateway, contact the network center. Create a batch file arpbinding. bat with the following content: @ Echo off Arp-d Arp-s gateway IP Gateway physical address (Note: Replace "gateway IP Address" and "Gateway physical address" in the above batch processing file with the "gateway IP Address" and "Gateway physical address" you have found) save and run the batch file and drag it to "Windows → start → program → start. |