Eye-catching eyes-identify viruses and trojans from the process

No virus or Trojan exists in the system and cannot be completely isolated from the process. Even if the hidden technology is used, it can still find clues from the process. Therefore, viewing active processes in the system is the most direct method for detecting viruses and Trojans. However, there are so many processes running simultaneously in the system, which are normal system processes and Trojan processes, what role does a system process that is often counterfeited by viruses and Trojans play in the system? Read this article.

Three methods of virus process hiding

When we confirm that there is a virus in the system, but we can't find a strange process when we view the process in the system through the "Task Manager", this shows that the virus has taken some hidden measures, there are three methods to summarize:

1. False or false

The normal processes in the system include svchost.exe‑assumer.exe‑i}e.exe‑winlogon.exe and so on. You may have discovered such processes in the system: svch0st.exe‑demoe.exe‑i‑er.exe‑winlogin.exe. What are the differences? This is a common trick used by viruses to confuse users' eyes. Generally, they will change the o of the normal process name in the system to 0, l to I, I to j, and then become their own process name. The difference is only one word, but the meaning is completely different. If you have more than one snapshot or less than one snapshot, for example, assumer.exeand I %e.exe, it is easy to mix up, and then the current I %er.exe is even more messy. If the user is not careful, it is generally ignored, and the virus process has escaped.

2. Steal a column

If the user is more careful, the above moves will be useless, and the virus will be corrected. As a result, the virus also learns to be smart and understands how to steal the bar and change the bar. If the name of a process is svchost.exe, It is not inferior to that of a normal system process. Is this process safe? In fact, it only utilizes the defect that "Task Manager" cannot view executable files of processes. We know that the executable file of the svchost.exe process is located in the "C: WINDOWSsystem32" Directory (C: WINNTsystem32 directory for Windows2000). If the virus copies itself to the "C: example, and normal system processes. Can you tell which process is a virus?

3. Let the dead go

In addition to the two methods mentioned above, there is also an ultimate method of Virus-to let the dead go. The so-called zombie is that the virus uses the process Insertion Technology to insert dll files required for virus operation into normal system processes. On the surface, there is no suspicious situation, in essence, system processes have been controlled by viruses. Unless we use professional Process detection tools, it is very difficult to find viruses hidden in them.

System Process Obfuscation

Many system processes are mentioned above. What are the functions and operating principles of these system processes? Next we will explain these system processes one by one. I believe that after familiarizing myself with these system processes, we will be able to successfully crack the virus's "fake and fake" and "steal the bar.

Svchost.exe

The process name that is often impersonated by viruses is svch0st.exe?schvost.exe=scvhost.exe. With the increasing number of windows system services, the svchost.exe process allows you to easily share a large number of services to save your system resources. System services are implemented in the form of dynamic link library (DLL). They direct executable programs to scvhost, and cvhost calls the dynamic link library of the corresponding service to start the service. You can open "Control Panel"> "Administrative Tools"> service, double-click the "ClipBook" service, and find the corresponding executable file path in its property panel is "C: WINDOWSsystem32clipsrv.exe ". Double-click the "Alerter" service to find that the executable file path is "C: WINDOWSsystem32svchost.exe-k LocalService", and the executable file path of the "Server" service is "C: WINDOWSsystem32svchost.exe-k netsvcs ". This adjustment saves the trouble of system resources. Because multiple svchost.exe instances are generated in the system, they are actually system services.

Worker service process. The executable file path of the worker. If it is out of the "C: WINDOWSsystem32" directory, it can be determined as a virus.

Assumer.exe

The process name that is often impersonated by viruses is icycler.exe‑expiorer.exe‑police.exe. Assumer.exe is a frequently used "Resource Manager ". "Then, the lost items are returned again. The role of the assumer.exe process is to allow us to manage resources on the computer.

By default, the assumer.exe process is started with the system, and its corresponding executable file path is the "C: Windows" Directory, which is a virus.

Iexplore.exe

The names of processes that are often impersonated by viruses include Microsoft Internet Explorer, which is the IE browser we usually use. It is easier to identify and identify the cause. The icycler.exe process name starts with "ie", which is the meaning of ie browser.

The executable program of the iexplore.exe process is located in the C: ProgramFilesInternetExplorer directory. If it exists in another directory, it is a virus unless you transfer the folder. In other cases, we may find that the iee.exe process still exists in the system, which involves two situations: 1. The virus impersonates the iexplore.exe process name. 2. Virus sneaked through iexplore.exe to do bad things. In this case, we recommend that you use anti-virus software to scan and kill the virus.

Rundll32.exe

The process name that is often impersonated by viruses is rundl132.exe1_rundl32.exe. The number of DLL files started by worker. User32.dll, LockWorkStation ". After you press enter, the system will quickly switch to the logon interface. The path of rundll32.exe is "C: Windowssystem32", which can be identified as a virus in other directories.

Spoolsv.exe

The process name that is often impersonated by viruses is spoo1sv.exe?spolsv.exe. Spoolsv.exe is the executable program corresponding to the System Service "Print Spooler". It manages all local and network Print queues and controls all printing tasks. If the service is stopped, the printing on the computer will be unavailable, and the spoolsv.exe process will disappear from the computer at the same time. If you do not have a printer device, disable this service to save system resources. After stopping and shutting down services, if the spoolsv.exe process still exists in the system, this must be a virus disguise.

Due to the limited length, the introduction of common processes is here. If we find any suspicious process during the process check, we only need to judge it based on two points: 1. check the process file name carefully; 2. check its path. Through these two points, General virus processes will certainly be exposed.

Find a good helper to manage processes

The built-in "Task Manager" function of the system is too weak to scan for viruses. Therefore, we can use professional process management tools, such as Procexp. Procexp can distinguish between system processes and general processes in different colors, so that virus processes of fake system processes are nowhere to hide.

After Procexp is run, the Process is divided into two major parts. The processes under "System Idle Process" belong to the System Process,

The processes under assumer.exe are general processes. The System process svchost.exew.winlogon.exe and others we introduced are all affiliated with "System Idle process.exe. If you find svchost.exe in zookeeper er.exe.pdf, it must be a virus.

As for the dll Insertion Technology adopted by the virus, we have explained the method of cracking by viewing the signature of its dll file. This can also be done in Procexp, I will not describe it here.

TIPS: On the main interface of the software, we may not be able to see the executable file corresponding to the process name and process. We can click its "View" menu → "Select column ", select "process name" and "image path", and click "OK.