Use Excel to destroy DLL Trojans

DLL Trojans are evil by Using DLL files. New processes are not displayed in the Process List during Trojan running, and many DLL Trojans are inserted into key processes of the system (which cannot be terminated ), anti-Virus Software
It cannot be detected, which poses a great threat to system security. If you do not have a horse-killing weapon at hand, you can copy the Office Excel files. Next let's take a look at how we use
Exceldeploy this trojan that is inserted into the lsass.exe process!

Step 1: Search for infected Processes

Recently, after I started online for a while, I felt that the network speed was extremely slow, so I ran "netstat-a-n ".
-O "View open ports and connections. The connection initiated by the process PID 580 is extremely suspicious: The status is established, indicating that two machines are communicating (see figure 1 ). Manage tasks
This process is explained by lsass.exe. lsass.exe is a security mechanism for Microsoft Windows systems and is used for local security and login policies. Obviously
This process does not require open ports and external connections. Therefore, it is determined that the process is likely to insert a DLL Trojan. If the Wrangler is not currently connected, you can use the port status to determine whether the request is successful, as shown in figure
Time_wait means that the connection has ended, indicating that the port has been accessed, but the access has ended, indicating that hackers have intruded into the local machine. Listening indicates that the listener is in the pending status.
However, only the TCP Service port can be in the listening status.

TIPS: the premise for judging whether the attack is successful is to identify the infected process. By the type of the inserted process, the DLL Trojan can be roughly divided:
1. Plug-in for example, notepad.exepolicipolicer.exe (this trojan is easy to judge and will not start anyProgram, Open the task manager. If you find the above process, you can determine the target ).
Listener will not open the port connection ).

3.for the open end process like alg.exew.svchost.exe on the plug-in, the connection status, connection IP address, and DLL call should be used to make a comprehensive judgment.

Step 2: track Trojans

Knowing the process of inserting the DLL Trojan, we can compare the DLL module called by the process.

1. Run the "tasklist/M/FO list" command prompt on other normal computers.
> G: \ dll1.txtexport: After all the preceding DLL files are output in the form of logs, open dll.txtand copy the DLL file list loaded by lsass.exe (see figure 2 ).

2..open exceland copy the DLL file loaded by lsass.exe on the normal computer and CMB to column A and column B. Because Excel has a serial number, you can easily find two
The number of DLL files loaded by lsass.exe is different (64 and 68 ). Set the font of Column B to red, cut column B content, paste it to column A, and click "Data/sort" in Excel
After the data is re-sorted, the trojan files are in the continuous red DLL files, which are mswsock. dll, psapi. dll, wshtcpip. dll,
Share. dll (see figure 3 ).

TIPS:

If you cannot determine which process is inserted with a Trojan, You can first output all DLL files, then sort the files in Excel and compare them with normal DLL files, and find the newly added DLL files one by one for troubleshooting.

Step 3: delete the trojan file

From the above, we can see that the DLL Trojan is in the four more files above, and now we can find these files through the search function (the DLL files are mostly in the system directory, and the search scope can be limited here ), and view attributes
Finally, find c: \ windows \ system32 \ share. dll. Now, in safe mode, delete share. dll, and find it based on its creation time and size.
To the trojan and delete it. Generally, Microsoft system DLL files have version labels, and most of the files have the same date. You can use these attributes to determine.

TIPS: You can directly Delete the DLL Trojan after the process is terminated.

Step 4: Back up data to prevent potential problems

It is difficult to judge. Therefore, we usually
Use the tasklist command to back up the DLL files of common system processes. In this way, you can restart and close any irrelevant programs when you suspect that you want to do so, and then quickly find the trojan in Excel sorting.
Fierce!

Note: The system has multiple svchost.exe processes, but their process PID is different and must be backed up separately.