A Trojan is started with a computer or windows and has certain control over it. It can be started in a variety of ways, through the registry, through the system. INI startup and startup through some specific programs are hard to prevent. In fact, as long as the Trojan can be prevented from being started, it will be useless. Here we will briefly talk about the trojan startup method.
1. Use "Start/Program/start"
Concealment:★★
Application level: relatively low
This is also a very common method. Many normal programs use it. QQ is commonly used to achieve self-startup, but Trojans rarely use it. Because everyone in the Startup Group will find the current system configuration handler tool (msconfig.exe, hereinafter referred to as msconfig. As a matter of fact, it is enough to attract the attention of cainiao to appear in the "Program/start" menu of the "Start" menu. Therefore, I believe no Trojans will be started in this way.
2. Use the win. ini file
Concealment:★★★
Application level: relatively low
Application Case: Asylum
Like the Startup Group, this is also a method that can be used from windows3.2, from Win16 to Win32. In windows3.2, win. INI is equivalent to the Registry in Windows 9X. The load and run items in the [windows] field in this file will run at Windows startup, and these two items will also appear in msconfig. Moreover, after Windows 98 is installed, these two items will be used by Windows programs and are not suitable for Trojans.
3. Start through the Registry
1. Use HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/run
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/run and
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservices
Concealment:★★★☆
Application level: extremely high
Application Cases: bo2000, GOP, NetSpy, iethief, glacier...
This is a method used by many Windows programs and is also the most common method for Trojans. It is very convenient to use, but it is also easy to be found. Because of its wide application, it is almost mentioned that Trojans will make people think of the primary keys in these registries. Generally, Trojan Horses use the last one. You can easily Delete msconfigor register a table editor (regedit.exe, Regedit) from windows, so this method is not very reliable. However, you can add a time control in the Trojan program to monitor whether the startup key value of the registry exists in real time. Once the key is deleted, it is immediately written again, to ensure that you can be run the next time windows is started. In this way, a state of mutual protection is formed between the trojan program and the startup key value in the registry. If the trojan program is not aborted, the startup key value cannot be deleted (after being manually deleted, the trojan program is automatically added). On the contrary, if you do not delete the startup key value, the trojan will be started next time you start Windows. What should we do? In fact, it is not difficult to crack it. This mutual protection can be easily lifted even if no tool or software is available.
Solution: first, start Windows in safe mode. At this time, Windows will not load the items in the registry, so Trojans will not be started, and mutual protection will not be cracked. Then, you can delete the key values and corresponding Trojans in the registry.
2. Use HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runonce
HKEY_CURRENT_USER/software/Microsoft/Windows/CurrentVersion/runonce and
HKEY_LOCAL_MACHINE/software/Microsoft/Windows/CurrentVersion/runservicesonce
Concealment:★★★★
Application level: relatively low
Application Case: happy9 September
This method seems to be used by not many people, but its concealment is better than the previous method, and its content will not appear in msconfig. The items under this key value are similar to the previous one and will be started at startup. However, after Windows is started, the items under this key value will be cleared, making it hard to be found, but it can only be started once. How can a trojan be effective?
In fact, it is very simple. Isn't it only allowed to start once? Can I add a trojan once after it is started successfully? In Delphi, there are only 3 and 5 rows of programs. Although these projects will not appear in msconfig, they can be deleted directly in regedit, so the trojan will become invalid.
Another method is to add messages when Windows is exited rather than when Windows is started. This requires the trojan program to intercept Windows messages. When Windows messages are disabled, pause the close process, add the registry project, and then start to close windows. In this way, Regedit cannot find its trace. This method also has a disadvantage, that is, once Windows is suspended abnormally (this is often used for Windows9x), the trojan will become invalid.
You can also use the security mode to crack them.
In addition, the three key values are not exactly the same. Normally, Trojan Horse selects the first key value, because the project under the second key value will run before Windows is started, and start Windows only after the program is completed.
...