How to Prevent ASP trojans from running on servers

If your server is suffering from ASP Trojans, I hope this article will help you solve your problems.

Currently, the popular ASP Trojan mainly uses three technologies to perform server-related operations.

1. Use the FileSystemObject component

FileSystemObject can perform regular operations on files

You can modify the registry and rename this component to prevent the dangers of such Trojans.

HKEY_CLASSES_ROOTScripting.FileSystemObject
Change the name to another name, for example, FileSystemObject_ChangeName.

You can call this component normally when you call it later.

Also change the clsid value.
HKEY_CLASSES_ROOTScripting.FileSystemObjectCLSID project value

You can also delete the Trojan to prevent its harm.

Run RegSrv32/u C: WINNTSYSTEMscrrun. dll to unregister this component.

Disable the use of scrrun. dll by Guest users to prevent calling this component.
Run cacls C: WINNTsystem32scrrun. dll/e/d guests

Ii. Use the WScript. Shell component

WScript. Shell can call the system kernel to run basic dos Commands

You can modify the registry and rename this component to prevent the dangers of such Trojans.

HKEY_CLASSES_ROOTWScript.Shell
And
HKEY_CLASSES_ROOTWScript.Shell.1
Change the name to another name, for example, WScript. Shell_ChangeName or WScript. Shell.1 _ ChangeName.

You can call this component normally when you call it later.

Also change the clsid value.
Value of the HKEY_CLASSES_ROOTWScript.ShellCLSID Project
Value of the HKEY_CLASSES_ROOTWScript.Shell.1CLSID Project

You can also delete the Trojan to prevent its harm.

3. Use the Shell. Application Component

Shell. Application can call the system kernel to run basic dos commands.

You can modify the registry and rename this component to prevent the dangers of such Trojans.

HKEY_CLASSES_ROOTShell.Application
And
HKEY_CLASSES_ROOTShell.Application.1
Change the name to another name, for example, Shell. Application_ChangeName or Shell. Application.1 _ ChangeName.

You can call this component normally when you call it later.

Also change the clsid value.
Value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID Project
Value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID Project

You can also delete the Trojan to prevent its harm.

Disable Guest users from using shell32.dll to prevent calling this component.
Run cacls C: WINNTsystem32shell32. dll/e/d guests.

Note: All operations take effect only after the WEB Service is restarted.

Use cmd.exe

Disable the use of cmd.exe for guests

Cacls C: winntsystem322.16.exe/e/d guests

The above four steps can be used to prevent several popular Trojans, but the most effective method is to achieve the server and program security standards through comprehensive security settings, to prevent more illegal intrusions.