If your server is suffering from ASP Trojans, I hope this article will help you solve your problems.
Currently, the popular ASP Trojan mainly uses three technologies to perform server-related operations.
1. Use the FileSystemObject component
FileSystemObject can perform regular operations on files
You can modify the registry and rename this component to prevent the dangers of such Trojans.
HKEY_CLASSES_ROOTScripting.FileSystemObject
Change the name to another name, for example, FileSystemObject_ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
HKEY_CLASSES_ROOTScripting.FileSystemObjectCLSID project value
You can also delete the Trojan to prevent its harm.
Run RegSrv32/u C: WINNTSYSTEMscrrun. dll to unregister this component.
Disable the use of scrrun. dll by Guest users to prevent calling this component.
Run cacls C: WINNTsystem32scrrun. dll/e/d guests
Ii. Use the WScript. Shell component
WScript. Shell can call the system kernel to run basic dos Commands
You can modify the registry and rename this component to prevent the dangers of such Trojans.
HKEY_CLASSES_ROOTWScript.Shell
And
HKEY_CLASSES_ROOTWScript.Shell.1
Change the name to another name, for example, WScript. Shell_ChangeName or WScript. Shell.1 _ ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
Value of the HKEY_CLASSES_ROOTWScript.ShellCLSID Project
Value of the HKEY_CLASSES_ROOTWScript.Shell.1CLSID Project
You can also delete the Trojan to prevent its harm.
3. Use the Shell. Application Component
Shell. Application can call the system kernel to run basic dos commands.
You can modify the registry and rename this component to prevent the dangers of such Trojans.
HKEY_CLASSES_ROOTShell.Application
And
HKEY_CLASSES_ROOTShell.Application.1
Change the name to another name, for example, Shell. Application_ChangeName or Shell. Application.1 _ ChangeName.
You can call this component normally when you call it later.
Also change the clsid value.
Value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID Project
Value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID Project
You can also delete the Trojan to prevent its harm.
Disable Guest users from using shell32.dll to prevent calling this component.
Run cacls C: WINNTsystem32shell32. dll/e/d guests.
Note: All operations take effect only after the WEB Service is restarted.
Use cmd.exe
Disable the use of cmd.exe for guests
Cacls C: winntsystem322.16.exe/e/d guests
The above four steps can be used to prevent several popular Trojans, but the most effective method is to achieve the server and program security standards through comprehensive security settings, to prevent more illegal intrusions.