The working principle of the Trojan horse

Because many beginners do not know much about security issues, they do not understand their computer in the "Trojan" how to clear. Therefore, the most important thing is to know the "Trojan" working principle, so it will be easy to find "Trojan". Because many beginners do not know much about security issues, they do not understand their computer in the "Trojan" how to clear. Therefore, the most important thing is to know the "Trojan" working principle, so it will be easy to find "Trojan".

"Trojan" program will do everything possible to hide themselves, the main way is: in the taskbar to hide their own, which is the most basic as long as the form's Visible property set to False, ShowInTaskbar set to False, the program will not appear in the taskbar when running. Stealth in Task Manager: Setting the program as "system services" can easily disguise itself.

Of course it will start silently, of course you don't expect users to click the "Trojan" icon to run the server every time the user starts, "Trojan" will automatically load the server at the start of the user, the Windows system automatically load the application method, "Trojan" will be used, such as: Start group, Win.ini, System.ini, the registration form and so on are all "Trojan" hiding place. The following specific talk about "Trojan" is how to automatically load.

In the Win.ini file, under [WINDOWS], "run=" and "load=" are ways to load the trojan, and you must pay close attention to them. Under normal circumstances, they have nothing after the equal sign, if found behind with a path and filename is not familiar with your startup files, your computer may be the upper-middle "Trojan horse." Of course you also have to see clearly, because a lot of "Trojan", such as "AOL Trojan Trojan", it disguised itself as a command.exe file, if not attention may not find it is not a real system startup files.

In the System.ini file, there is a "shell= filename" under [BOOT]. The correct filename should be "explorer.exe", if not "Explorer.exe", but "shell= Explorer.exe program name", then followed by the program is "Trojan" program, is that you have in the "Trojan Horse."

The most complex situation in the registry, open Registry Editor via the Regedit command, in the click to: "Hkey-local-machine\software\microsoft\windows\currentversion\run" directory, Check to see if there are any automatic startup files in the key value that are not familiar to you, with the extension exe.

Here bear in mind: some "Trojan" program generated by the file is very similar to the system itself, want to pass camouflage, such as "Acid Battery v1.0 Trojan", it will be the registry "Hkey-local-machine\software\microsoft\windows\ CurrentVersion\Run "Under the Explorer key value to Explorer=" C:\WINDOWS\expiorer.exe "," Trojan "program and real explorer between only" I "and" L "difference.

Of course, there are many places in the registry can hide the "Trojan" program, such as: "Hkey-current-user\software\microsoft\windows\currentversion\run", "hkey-users\****\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run "In the directory is possible, the best way is in the" hkey-local-machine\software\microsoft\windows\ CurrentVersion\Run "To find the name of the Trojan horse program, and then search the entire registry."

Know the "Trojan" working principle, killing "Trojan" became very easy, if found to have "Trojan" exists, the safest and most effective way is to immediately disconnect the computer and the network, to prevent hackers through the network to attack you.

Then edit the Win.ini file, under [WINDOWS], "run=" Trojan "program" or "load=" Trojan "program" Change to "run=" and "load=", edit System.ini file, will [BOOT] under the "shell= ' Trojan ' file" , change to: "Shell=Explorer.exe"; in the registry, edit the registry with Regedit, first in the hkey-local-machine\software\microsoft\windows\ CurrentVersion\Run "Trojan" under the file name, and then the entire registry search and replace the "Trojan Horse" program.

Sometimes also need to note is: some "Trojan" program is not directly "Hkey-local-machine\software\microsoft\windows\currentversion\run" under the "Trojan" key to delete the line, because some " Trojan "such as: Bladerunner" Trojan ", if you delete it," Trojan "will immediately automatically add, you need to write down the" Trojan "name and directory, and then back to MS-DOS, find this" trojan "file and delete.

Restart the computer, and then go to the registry to remove the key values from all the "Trojan" files. So far, we are done.

Small knowledge: "Trojan" originally refers to the story of ancient Greek soldiers hiding in a trojan to enter enemy cities to occupy enemy cities. On the internet, "Trojan Horse" refers to some program designers in their applications or games that can be downloaded from the network (Download), including programs that can control the user's computer system, which can cause users ' systems to be corrupted or even paralyzed.