Trojan Horse is started with the computer or Windows to start and master a certain degree of control, its startup way can be described in a variety of, through the registry to start, through the System.ini to start, through some specific programs to start, really impossible to guard against. In fact, as long as we can stop it from starting, Trojan Horse is useless, here is simple to say the start of the Trojan Horse, the enemy win well.
First, through "Start \ Program \ Start"
Concealment: 2 star
Application degree: Low
This is also a very common way, a lot of normal procedures used it, we commonly used QQ is in this way to achieve since the start, but the Trojan is rarely used it. Because each of the startup groups will appear in the System Configuration Utility (Msconfig.exe, hereinafter Msconfig). In fact, the "Start" menu in the "program \ Boot" enough to cause rookie attention, so I believe there will be no trojan in this way of starting.
Ii. adoption of the Win.ini document
Concealment: 3 Star
Application degree: Low
As with the startup group, this is a method that can be used from the beginning of Windows3.2, which is inherited from Win16 to Win32. In Windows3.2, Win.ini is equivalent to the registry in Windows9x, where the load and run entries in the Windows domain will run when Windows starts, and these two items will also appear in Msconfig. Moreover, after the WINDOWS98 installation completes these two items will be used by the Windows program, also is not very suitable for the Trojan use.
Third, through the registry to start
1, through HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \currentversion\runservices
Concealment: 3.5 star
Application degree: Extremely high
Application case: Bo2000,gop,netspy,iethief, Glacier ...
This is a lot of Windows procedures are used, but also the most commonly used Trojans. Use is very convenient, but also easy to be found, because its application is too wide, so almost mentioned Trojan, will let people think of these several registry key, usually Trojan will use the last one. Using Windows's own program: Msconfig or Registry Editor (Regedit.exe, hereinafter referred to as REGEDIT) can be easily deleted, so this method is not very reliable. However, you can add a time control in the Trojan program to monitor the registry's own startup key value in real time, and write it back to the next time you find it deleted. This creates a state of mutual protection between the Trojan program and the startup key values in the registry. Trojan program has not been aborted, the start key value can not be deleted (manually deleted, trojan program and automatically added on), on the contrary, do not delete the Startup key value, the next time you start Windows will also start the Trojan horse. What do we do? It is not difficult to crack it, even without any tool software, it can easily remove this mutual protection.
Cracking method: First, in safe mode to start Windows, at this time, Windows does not load the entries in the registry, so the Trojan will not be started, the mutual protection of the situation will be destroyed; then you can delete the key values in the registry and the corresponding Trojan program.
2, through hkey_local_machine\software\microsoft\windows\currentversion\runonce through the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce and
Hkey_local_machine\software\microsoft\windows\currentversion\runservicesonce
Concealment: 4 star
Application degree: Low
Application Case: Happy99 month
This method seems to use a lot of people, but concealment is better than the previous method, its content will not appear in the Msconfig. The item under this key value is similar to the previous one, will start when Windows starts, but after Windows starts, the item under this key value will be emptied, so it is not easy to be found, but can only start once, how can the Trojan play the effect?
In fact, it is very simple, not only to start once? The Trojan starts to succeed and then add it again. In Delphi this is only 3, 5 line program. Although these items will not appear in the Msconfig, but in the regedit can be directly deleted, then the Trojan will be invalidated.
There is another way, not at the start of the time to add, but when you quit Windows, this requires the Trojan itself to intercept Windows message, when the discovery of Windows message shutdown, pause the shutdown process, add registry entries, and then start to shut down Windows, This can not find a trace of it with Regedit. The disadvantage of this approach is that once Windows is aborted (as is often the case with windows9x), the Trojan is invalidated.
The way to crack them can also be in safe mode.
In addition, using these three key values is not exactly the same, usually the Trojan chooses the first one, because the item under the second key value runs before Windows starts and waits until the program finishes to start Windows.