How does a dll or exe virus program run?

 

 

1. dll-type Trojan

 

[Principle]

 

Dll files are also called dynamic link libraries. When the exe program runs, many dll files are called at the same time to implement the extension function. In this case, if the Trojan horse hijacks the dll image and maliciously injects system files or other programs, it can steal confidential files, tamper with key system locations, and hide itself. Therefore, dll Trojans can be called injection Trojans or image hijacking Trojans.

 

[Features]

 

Any virus can be made into a dll type. The famous Aurora virus is an integrated worm. It has a high anti-virus performance and strong concealment ability. Anti-virus software is highly efficient. The regeneration capability is strong, and the reinstallation system cannot be cleared normally. In addition to common infections, it can also be injected into files such as rar.

 

[Common loading methods]

 

1. Use rundll32.exe in the system to load. This means that the Trojan can only be made into a DLL file, and it can be automatically started using rundll32.exe on the registration table's runkey value or other location where the system is automatically located.

 

2. Replace the DLL file in the system. It makes the code that implements the backdoor function into a DLL file that matches the system, and renamed the original DLL file. When an application requests the original DLL file, the DLL backdoor starts a forwarding function and passes the "parameter" to the original DLL file. If a special request is received, the DLL backdoor starts to start and run.

 

3. dll injection technology, that is, embedded. The significance is to embed the DLL file into the running system process. In Windows, each process has its own private memory space, but there are still various ways to enter the private memory space of its process to implement dynamic embedded. Because the key processes of the system cannot be terminated, such backdoors are very hidden and difficult to detect and kill. Common dynamic embedded systems include: "hook api", "Global HOOK", and "remote thread.

 

[Famous dll backdoor Trojan]

 

Lpk. dll/usp10.dll

 

SvchostDLL. dll

 

BITS. dll

 

QoServer. dll

 

Ii. Execute the trojan virus directly in the exe class

 

[Principle]

 

This cannot be a general term. Any trojan virus can be converted into an exe type. different exe Trojans have different principles and functions.

 

[Features]

 

Directly appears as an exe file. It often performs shell, flower, and other killing-free processing, as well as the appearance of camouflage. Often bundled with a variety of normal software, or disguised as normal software. There will be no signs after running, unless it is detected by being killed. If it is not suitable for killing, it is easy to take the initiative to defend against interception. Because it is an executable file, the hiding capability is not strong. In general, an exe Trojan is mainly used for account theft or as a spyware, and may also act as a Downloader. In fact, the dll virus acts as the downloader and downloads the exe Trojan. It is a common combination.

 

[Common running methods]

 

This is really hard to say. Exe is just a form. Unlike the trojan horse, .exe cannot be used to classify Trojans. Of course, it is often used to hook common software to activate the operation, or load it to the Registry. In addition, the most common method is to trick users into clicking manually.

 

[Famous exe Trojan]

 

Gray pigeon Remote Control Trojan

 

Wow programs for account theft

 

Winlogon.exe

 

Iexplore.exe

 

Assumer.exe