[Virus] Trojan principle Series 1

The trojan program tries its best to hide itself. The main ways are to hide itself in the taskbar. This is the most basic thing if you set the visible attribute of form to false and showintaskbar to false, when the program runs, it will not appear in the taskbar. Stealth in Task Manager: setting a program as a "system service" can easily disguise itself.

Of course, it will also start quietly, and you certainly won't expect the user to click the "Trojan" icon after each startup to run the server ,, the trojan will automatically load the server every time the user starts, and the method for automatically loading the application when the Windows system starts. The trojan will be used, such as the Startup Group and win. INI, system. INI, registry, and so on are all good places for Trojans to hide. The following describes how a trojan is automatically loaded.

In the win. ini file, under [windows], "Run =" and "load =" are possible ways to load the "Trojan" program. You must pay attention to them carefully. Generally, there is nothing behind their equal signs. If you find that there are paths and file names behind them that are not familiar with the Startup File, your computer may be "Trojan. Of course, you have to see clearly, because many "Trojans", such as "AOL trojantrojan horse", pretend to be a command.exe file. If you do not pay attention, you may not find that it is not a real system startup file.

In the system. ini file, there is a "shell = file name" under [boot ". The specified file name should be "assumer.exefolder. If it is not" assumer.exe "but" shell = assumer.exe program name ", the program that follows is a" Trojan "program, that is, you are already in the" Trojan.

The situation in the registry is the most complex. Open the Registry Editor with the Regedit command, and click under the "HKEY-LOCAL-MACHINE/software/Microsoft/Windows/CurrentVersion/Run" directory, check whether there is an unfamiliar Automatic startup file in the key value. The extension is exe.

Here, remember: Some "Trojan" programs generate files much like the system's own files. They want to pass through disguise, such as "Acid Battery v1.0 Trojan ", it changes the Explorer key value under the Registry "HKEY-LOCAL-MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run" to Explorer = "C:/WINDOWS/expiorer.exe ", there is only a difference between the trojan program and the real Explorer between "I" and "l.