How Trojan horses take advantage of file associations and device names

We know that under the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run can load the program, so that it automatically run when the boot, similar to "Run" Such subkeys have several places in the registry, starting with "Run", such as RunOnce, RunServices, and so on. In addition to this method, there is also a way to modify the registry to enable the program to start itself.

Specifically, you can change how the file is opened so that the program starts with the type of file that you open. For example, open the registry, expand the registry to Hkey_classes_rootexefileshell

Opencommand, this is how the exe file is opened, the default key value is: "%1"%*. If you change the default key value to Trojan.exe "%1"%*, the Trojan.exe file is executed each time you run the exe file. Trojan Ash Pigeon on the use of the associated EXE file open way, and the famous Trojan Glacier is also similar to this one recruit-related TXT file.

The main way to deal with this kind of hiding is to check the registry frequently to see if the file is open. If something changes, change the way you open it. It is best to back up the registry frequently, find the problem and restore the registry immediately with the backup file, which is convenient, fast, safe and convenient.

The use of Trojan to the equipment name

As you know, you cannot name files or folders under Windows with a device name that includes AUX, COM1, COM2, PRN, con, nul, and so on, but Windows 2000/XP has a vulnerability to name a file or folder with a device name. So that the Trojan can hide there without being found.

To do this: click "Run" on the "Start" menu, type cmd.exe, enter the command Prompt window, and then enter the MD c:con\ command to create a directory called con. By default, Windows is unable to create such directories, and it is the Windows vulnerabilities that make it possible to create this directory. Try again enter the MD c:aux\ command, you can build the Aux directory, enter MD c:prn\ can establish PRN directory, enter MD c:com1\ directory can establish Com1 directory, and enter MD c:ul\ can establish a directory named NUL. In the Explorer, click Try, you will find that when we try to open a folder named Aux or com1, the Explorer.exe loses its response, and many "Wrangler" is using this method to hide the trojan in such a special folder, so as to achieve the purpose of hiding and protecting the Trojan program.

Now, we can copy the files to this special directory, of course, can not be copied directly in Windows, you need to use a special method, in the cmd window to enter the copy muma.exe \.c:aux\ command, You can copy the Trojan file Muma.exe to the Aux folder under C disk, and then click "Run" in the "Start" menu, enter C:aux muam.exe in "Run", it will start the Trojan successfully. We can enter this special directory by clicking on the folder name, but if you try to remove it in the Explorer, you will find it futile, and windows will be prompted not to find the file.

As the use of del c:aux\ command can delete the Muma.exe file, so, in order to achieve better hiding and protection effect, the Trojan will be renamed Muma.exe file, let us difficult to delete. The specific method is to copy the Trojan file to the Aux folder when using the command copy Muma.exe \.c:con.exe, you can copy the Trojan file muma.exe to the Aux directory, and renamed Con.exe, and Con.exe files can not be deleted by common methods.

Some friends might think that this Con.exe file is not running in the Start menu. In fact, you can run this program as long as you enter CMD/C \.c:con in the command-line mode. At runtime there will be a CMD window flashed over, the Trojans generally will be improved, there are many methods, you can use the boot script, you can also use the Cmd.exe autorun: in the registry Hkey_local_ Machinesoftwaremicrosoftcommand processor A string autorun, the value is the path to the. bat file or. cmd file to run, such as C: Winntsystem32auto.cmd, if the corresponding document is established, its content is @\.c:con, it can achieve the hidden effect.

For this kind of special folder, we can use the following methods to remove it: First Use del \.c:con.exe command to delete the Con.exe file (this file is assumed to be the Trojan file name), and then use the RD \.c:aux command to delete the Aux folder.

All right, here's the end of the article. Because the level is limited, the article if there is not correct or questionable places to welcome criticism, in addition, the writing has been consulted online masters of the Post, benefited, in this together thanks!

However, AutoRun can be applied not only to CDs but also to hard disks (note that Autorun.inf must be stored in the root directory of the disk to function). Let's take a look at the contents of the Autorun.inf file.

Open Notepad, create a new file, name it Autorun.inf, and type the following in Autorun.inf:

[AutoRun]

icon=c:windowssystemshell32.dll,21

Open=c:program FilesACDSeeACDSee.exe

where "[AutoRun]" is a required fixed format, a standard AutoRun file must start with it to tell the system to execute the commands in its following lines; the second line "icon=c:windowssystemshell32.dll,21" is to set a personalized icon for the hard disk or disc, "Shell32.DLL" is a system file that contains many Windows icons, "21" indicates the icon with number 21, and no number defaults to the first icon in the file; the third line "Open=c:program FilesACDSeeACDSee.exe "indicates the path and filename of the program to run.

If you change the open line to a Trojan file and set the Autorun.inf file as a hidden property, we will start the Trojan when we click on the hard drive.

To prevent such "ambush", the hard disk Autorun function can be prohibited. In the Start menu, enter regedit in run, open Registry Editor, and expand to the Hkey_current_usersoftware microsoftwindowscurrentversionpoliciesexploer primary key. Find "NoDriveTypeAutoRun" in the right-hand window, which determines whether to perform the Autorun feature of the CDROM or hard disk. Changing its key value to 9d,00,00,00 can turn off the autorun feature of the hard drive, and if you change to b5,00,00,00, disable the Autorun function of the disc. The settings will take effect when you restart the computer after you modify it.