How to use file association and set name _ Vulnerability Research
Source: Internet
Author: User
The use of Trojan to file association
We know that in the registry HKEY_LOCAL_MACHINE Software Microsoft Windows Currentversionrun, you can load programs to run automatically when they are powered on, and subkeys like "Run" are in the registry a few more places to "Run" begins, such as RunOnce, RunServices, etc. In addition to this method, there is also a way to modify the registry to enable the program to start itself.
Specifically, you can change how the file is opened so that the program starts with the type of file that you open. For example, open the registry, expand the registry to Hkey_classes_rootexefileshell Opencommand, this is how the exe file is opened, the default key value is: "%1"%*. If you change the default key value to Trojan.exe "%1"%*, the Trojan.exe file is executed each time you run the exe file. Trojan Ash Pigeon on the use of the associated EXE file open way, and the famous Trojan Glacier is also similar to this one recruit-related TXT file.
The main way to deal with this kind of hiding is to check the registry frequently to see if the file is open. If something changes, change the way you open it. It is best to back up the registry frequently, find the problem and restore the registry immediately with the backup file, which is convenient, fast, safe and convenient.
The use of Trojan to the equipment name
As you know, you cannot name files or folders under Windows with a device name that includes AUX, COM1, COM2, PRN, con, nul, and so on, but Windows 2000/XP has a vulnerability to name a file or folder with a device name. So that the Trojan can hide there without being found.
To do this: click "Run" on the "Start" menu, type cmd.exe, enter the command Prompt window, and then enter the MD c:con\ command to create a directory called con. By default, Windows is unable to create such directories, and it is the Windows vulnerabilities that make it possible to create this directory. Try again enter the MD c:aux\ command, you can build the Aux directory, enter MD c:prn\ can establish PRN directory, enter MD c:com1\ directory can establish Com1 directory, and enter MD c:nul\ can establish a directory named NUL. In the Explorer, click Try, you will find that when we try to open a folder named Aux or com1, the Explorer.exe loses its response, and many "Wrangler" is using this method to hide the trojan in such a special folder, so as to achieve the purpose of hiding and protecting the Trojan program.
Now, we can copy the files to this special directory, of course, can not be copied directly in Windows, you need to use a special method, in the cmd window to enter the copy muma.exe \.c:aux\ command, You can copy the Trojan file Muma.exe to the Aux folder under C disk, and then click "Run" in the "Start" menu, enter C:aux muam.exe in "Run", it will start the Trojan successfully. We can enter this special directory by clicking on the folder name, but if you try to remove it in the Explorer, you will find it futile, and windows will be prompted not to find the file.
As the use of del c:aux\ command can delete the Muma.exe file, so, in order to achieve better hiding and protection effect, the Trojan will be renamed Muma.exe file, let us difficult to delete. The specific method is to copy the Trojan file to the Aux folder when using the command copy Muma.exe \.c:con.exe, you can copy the Trojan file muma.exe to the Aux directory, and renamed Con.exe, and Con.exe files can not be deleted by common methods.
Some friends might think that this Con.exe file is not running in the Start menu. In fact, you can run this program as long as you enter CMD/C \.c:con in the command-line mode. At runtime there will be a CMD window flashed over, the Trojans generally will be improved, there are many methods, you can use the boot script, you can also use the Cmd.exe autorun: in the registry
Hkey_local_ Machinesoftwaremicrosoftcommand Processor to build a string autorun, which is the path to the. bat file or. cmd file to run, such as C:winnt System32 Auto.cmd, if the corresponding document is established, its content is @\.c:con, it can achieve the hidden effect.
For this kind of special folder, we can use the following methods to remove it: First Use del \.c:con.exe command to delete the Con.exe file (this file is assumed to be the Trojan file name), and then use the RD \.c:aux command to delete the Aux folder.
The use of Trojan horse to Autorun
AutoRun can be applied not only to CDs but also to hard disks (note that Autorun.inf must be stored in the root directory of the disk to function). Let's take a look at the contents of the Autorun.inf file.
Open Notepad, create a new file, name it Autorun.inf, and type the following in Autorun.inf:
[AutoRun]
icon=c:windowssystemshell32.dll,21
Open=c:program FilesACDSeeACDSee.exe
where "[AutoRun]" is a required fixed format, a standard AutoRun file must start with it to tell the system to execute the commands in its following lines; the second line "icon=c:windowssystemshell32.dll,21" is to set a personalized icon for the hard disk or disc, "Shell32.DLL" is a system file that contains many Windows icons, "21" indicates the icon with number 21, and no number defaults to the first icon in the file; the third line "Open=c:program FilesACDSeeACDSee.exe "indicates the path and filename of the program to run.
If you change the open line to a Trojan file and set the Autorun.inf file as a hidden property, we will start the Trojan when we click on the hard drive.
To prevent such "ambush", the hard disk Autorun function can be prohibited. On the Start menu, enter regedit in run, open Registry Editor, and expand to HKEY_CURRENT_USER Software under the Microsoft Windows currentversion Policies exploer primary key. Find "NoDriveTypeAutoRun" in the right-hand window, which determines whether to perform the Autorun feature of the CDROM or hard disk. Changing its key value to 9d,00,00,00 can turn off the autorun feature of the hard drive, and if you change to b5,00,00,00, disable the Autorun function of the disc. The settings will take effect when you restart the computer after you modify it.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.