We know that it can be loaded under the Registry HKEY_LOCAL_MACHINE software Microsoft Windows currentversionrun Program To enable the sub-keys such as "run" to run automatically at startup. There are several sub-keys in the registry that start with "run", such as runonce and runservices. In addition to this method, you can also modify the Registry to enable the program to start itself.
Specifically, you can change the file opening method so that the program can start with the file type you open. For example, open the registry and expand the Registry to hkey_classes_rootexefileshell opencommand. The default key value is "% 1" % *. If you change the value of the primary key to trojan.exe "% 1" % *, The trojan.exe file will be executed every time you run the EXE file. Trojan gray pigeons use the open method of the associated EXE file, and the famous Trojan glacier uses a similar move-associate TXT files.
To deal with this hiding method, we often check the registry to see if the file opening method has changed. If a change occurs, change the opening method back. It is best to back up the Registry frequently and use the backup file to restore the Registry immediately after a problem is found, which is convenient, fast, secure, and easy to use.
Exploitation of device names by Trojans
As you know, files or folders cannot be named by device names in windows. These device names mainly include aux, COM1, com2, PRN, con, and NUL, however, a vulnerability in Windows 2000/XP allows you to name a file or folder by device name, so that Trojans can be hidden in it without being detected.
The specific method is: click "Start Menu" to open the "Start Menu", enter "cmd.exe", Press enter to enter the Command Prompt window, and then enter the md c: con command to create a directory named "con. By default, Windows cannot create such directories. This directory can be created only by exploiting the Windows vulnerability. Try entering the md c: aux command to create the aux directory, enter md c: PRN to create the PRN directory, enter the md c: COM1 directory to create the COM1 directory, and enter md c: nul can create a directory named NUL. The hacker loses the response, and many "wrangler" uses this method to hide Trojans in special folders to hide and protect Trojans.
Now, we can copy the file to this special directory. Of course, we cannot copy the file directly in windows. We need to use a special method. In the CMD window, enter copy muma.exe. c: auxcommand, you can copy the trojan file muma.exe to the aux folder under drive C, click "run" in the "Start" menu, and enter C: aux muam.exe in "run" to start the Trojan. You can click the folder name to enter this type of special directory. However, if you try to delete it in the resource manager, you will find that this is in vain and windows will prompt that the file cannot be found.
Since the del C: hosts file is also renamed, it is difficult for us to delete it. The specific method is to copy the trojan file to the aux folder using the command copy muma.exe. C: con.exe, you can copy the trojan file muma.exeto the auxdirectory, and change the name to con.exe, while the con.exe file cannot be deleted using the common method.
The con.exe file cannot be run in the "run" menu of the "Start" menu. Otherwise, you only need to input CMD/C. C: con in the command line mode to run this program. Autorun of Role: Create an Autorun string under the Registry hkey_local _ machinesoftwaremicrosoftcommand processor with the value. BAT file or. CMD file path, such as C: winnt system32 auto. cmd. If a file is created, its content is @. c: con, you can achieve the concealed effect.
For such special folders, we can delete them using the following method: Use Del. c: con.execommand to delete the con.exe file (this file is assumed to be the trojan file name), and then use Rd. c: Use the aux command to delete the aux folder.
Exploitation of Autorun by Trojans
Autorun can be applied not only to optical disks, but also to hard disks (note that autorun. inf must be stored in the root directory of the disk to take effect ). Let's take a look at the content of the autorun. inf file.
Open notepad, create a new file, name it autorun. inf, and type the following content in autorun. inf:
[Autorun]
Icon = C: windowssystemshell32.dll, 21
Open = C: Program filesacdseeacdsee.exe
"[Autorun]" is a required fixed format. A standard Autorun file must start with it to tell the system to execute the following commands; in the second line, "icon = C: windowssystemshell32.dll, 21" sets a personalized icon for the hard disk or CD. "shell32.dll" is a system file containing many windows icons, "21" indicates that the icon numbered 21 is displayed. If no number exists, the first icon in the file is used by default. The third line is "Open = C: program filesacdseeacdsee.exe "indicates the path of the program to be run and its file name.
If you replace the Open line with a Trojan file and set the autorun. inf file as a hidden property, the trojan will be started when you click the hard disk.
To prevent such "ambush", you can disable the hard disk Autorun function. Enter Regedit in "run" in the "Start" menu, open the Registry Editor, expand to the HKEY_CURRENT_USER software Microsoft Windows CurrentVersion policies exploer primary key, and find "NoDriveTypeAutoRun" in the right window ", it determines whether to execute the autorun function of the CDROM or hard disk. Change its key value to 9d, 00 to disable the autorun function of the hard disk. If it is changed to B5, 00, 00, the autorun function of the CD is disabled. After modification, restart the computer and the settings will take effect.