Two effective solutions to disguised System Service Trojans

Some Trojans often change themselves to system services to prevent antivirus software from being detected and killed, so that they can run automatically as the system starts, and control your machine for a long time without knowing it. Let's fight back our teeth to drive away the sinister "backdoor service ".

Little knowledge what is service

A service is an application type that runs in the background. To manage system services, run services. msc and open the "services" dialog box. All services in the current system are displayed. Double-click a service. In the "properties" dialog box that appears, you can view the service status in the "service status" column on the "General" option page. Click the "Start type" drop-down menu to set the service to automatic start, manual start, or disable.

There is a saying: "know yourself, know yourself, and know you can win a hundred battles. If you want to deal with such Trojans, you have to know how it turns into a service for a long time, so as to lurk for evil for a long time. Generally, depending on the method of changing the Trojan's face, you can usually prevent it from two aspects:

　　I. Be careful when Windows becomes a Trojan.

In Windows, services cannot be added or deleted, but can be implemented using instsrv.exeand srvany.exe in the resource package of Windows. Specifically, instsrv.execan be used to install and delete services for the system. srvany.exe can run programs as services.

★Face changing principle

Step 1: register a registered account

Here we will illustrate how to create a service named "assumer". First, store instsrv.exeand srvany.exe in a convenient place. We recommend that you store them in the system installation directory (the author's Windows XP installation directory is D: Windows ). Run cmd.exe, enter the "command prompt" window, run the command: cd d: Windows, and enter the system installation directory. Run the following command:

Instsrv explorer d: Windowssrvany.exe

Now, this command has been successfully run and a service named "explorer" has been registered in the system. Come to "service" and check it out!

Tips

★Registration Service: instsrv : Here Can be named at will, The absolute path of the file must be included, for example, D: Windowssrvany.exe.

★Delete service: instsrv Remove

Step 2: Search for association-backdoor service

To make the explorer Service run properly, you must also specify the application corresponding to the Service in the registry. Run regedit.exe, open registry editor, and expand the following sub-keys: [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices]. Find the sub-key and right-click explorer (corresponding to the service name created earlier ), select "item" under "new" and name it Parameters. Click Select it, create a new string value named Application in the right window, and set the value data to the absolute path of the Application corresponding to the explorer service, for example, d: Windowsgboor.exe. Then create two new string values: AppDirectory and AppParameters. AppDirectory specifies the directory where the program is located. AppParameters indicates the program running parameters (Note: you do not need to set the value). 1, and close the registry editor.

Next, open the "service" window, find the newly added explorer Service, open its properties dialog box, click to switch to the "Logon" option page, and select "Local SYSTEM account" in "Logon identity ", 2. If you do not want the service to pop up when running, do not check the "allow service and desktop interaction" option and click "OK" to return. Now, all the explorer services have been configured.

Finally, right-click the service and select "start". The program will start and run automatically as a service when the system starts!

Tips

You can also run the following command to start the service: net start explorer.

★The "backdoor service" was not discussed.

It's hard to solve the problem by figuring out how to change the Trojan to a service. If any system exception is detected, you can go to the "service" window to view the malicious "backdoor service". Once such a malicious "backdoor service" is discovered, the ghost drive only takes two steps: ① stop the service. The command used is the net stop service name, for example, net stop explorer. ② Completely delete the pseudo service and drive these sinister "backdoor service" out of the house. The command is: instsrv.exe service name remove, for example: nstsrv.exe explorer remove.

　　2. Be careful with the start of Trojan horse service change

Some Trojans use a small software called AppToService to change services. The software can run any application as a service of the NT system, and it is easier to operate.

★Face changing principle

After AppToService V2.7 is installed, double-click the shortcut AppToService on the desktop and follow the prompts.

For example, if you want to add program d: Windowsgdoor.exe as a service and set its "service type" to "automatic", just run the command: Apptoservice/install/absname: "bd"/startup: A "d: Windowsgdoor.exe" to create the bd service. The same method for enabling services is net start bd.

★"Backdoor service" with teeth and teeth"

If you find that some Trojans use AppToService to become a service, you can run the following command to stop all AppToService: AppToService/StopAll. Then delete it. To delete a service, run the following command: AppToService/Remove an existing service name, such as AppToService/remove bd, the command for deleting all AppToService services is: AppToService/RemoveAll.

Tips

AppToService refers to all services added through AppToService, not the original services of the system.

How is it? I know the real inside story of the Trojan-changing service. I believe that with the above knowledge, I should be able to handle the backdoor service!

Disclaimer: This article analyzes the process of changing a Trojan to a service, only to find the corresponding preventive measures. Do not imitate it!