The "Trojan horse" program is currently a popular virus file. Unlike ordinary viruses, it does not reproduce itself and does not "deliberately" infect other files. It attracts users by disguising itself. Download and execute the Trojan, providing the Trojan owner with a portal to open the victim's computer, allowing the Trojan to destroy and steal the victim's files at will, and even remotely control the victim's computer. "Trojan horse" is somewhat similar to remote control software that is often used in computer networks, but because remote control software is a "well-intentioned" control, it is usually not concealable; "Trojan horse" is exactly the opposite. What the Trojan horse wants to achieve is " A "stealing" remote control is "worthless" if it does not have strong concealment.
A complete "Trojan horse" program consists of two parts: "server" and "controller". What is implanted into the victim's computer is the "server" part, and the so-called "hacker" uses the "controller" to enter the computer running the "server". After running the "server" of the Trojan horse program, one or several ports will be opened on the victim's computer, allowing hackers to use these opened ports to enter the computer system, and security and personal privacy will not be guaranteed at all!
A virus is a piece of computer code attached to a program or file that can spread from computer to computer. It infects computers as it spreads. Viruses can damage software, hardware, and files.
Virus (n.): Code written with the express purpose of replicating itself. Viruses attach themselves to a host program and then attempt to spread from computer to computer. It can damage hardware, software and information.
Just as human viruses are classified by severity (from Ebola to the common flu virus), computer viruses range from causing little disruption to completely destroying the device. It is reassuring to know that the real virus does not spread without human intervention. Someone must share the file and send an email to move it together.
The full name of "Trojan Horse" is "Trojan Horse", which originally refers to the story of ancient Greek soldiers hiding in Trojan horses to enter and occupy enemy cities. On the Internet, "Trojan horse" refers to some programmers (or malicious grooms) who include in their applications or game plug-ins, or web pages that can be downloaded from the Internet, that can control the user's computer system or Malicious programs that steal user information through emails may cause the user's system to be damaged, information lost or even paralyzed.
1. Characteristics of Trojan horses
Trojan horses belong to the client/service model. It is divided into two parts, the client and the server. The principle is that one host provides services (server side), and another host receives services (client side). The host as the server generally opens a default port for listening. If a client makes a connection request to this port of the server, the corresponding program on the server will automatically run to respond to the client's request. This program is called a process.
Trojan horses generally focus on finding backdoors and stealing passwords. Statistics show that Trojans now account for more than a quarter of viruses. In the wave of viruses that have emerged in recent years, Trojan viruses have an absolute advantage and will become more and more serious in the next few years. Trojan horse is a special type of virus. If you accidentally use it as a software, the Trojan horse will be "planted" on the computer. When you go online in the future, the control of the computer will be completely handed over to the "hacker", and he can By tracking keystrokes and other methods, confidential information such as passwords and credit card numbers can be stolen. It can also track, monitor, control, view, and modify information on the computer.
2. Trojan horse attack characteristics
When using the computer, if you find that: the computer's response speed has changed significantly, the hard disk is constantly reading and writing, and the mouse does not listen to commands, The keyboard is invalid, some of my own windows are being closed, new windows are being opened inexplicably, the network transmission indicator light has been flashing, no large programs are running, but the system is getting slower and slower, the system resource station is used a lot, or is running A certain program does not respond (such programs are generally small, ranging from tens to hundreds of kilobytes) or the firewall detects that an email is sent when closing a certain program... These abnormal phenomena indicate that your computer has been corrupted. Trojan virus.
3. The working principle of Trojans and the introduction of manual detection
Since most players do not know much about security issues, they do not know what to do if their computers are infected by "Trojans" Clear. Therefore, the most important thing is to know how the "Trojan horse" works, so that the "Trojan horse" will be easily discovered. I believe that after reading this article, you will become a master at killing "Trojan horses". (If you can’t become a master, I suggest you use rubber bands to beat the glass at Bamboo’s house, hehe)
The "Trojan horse" program will try every means to hide itself. The main ways are: hiding itself in the taskbar, which is the most basic Just set the Form's Visible property to False. If ShowInTaskBar is set to False, the program will not appear in the taskbar when it is running. Invisibility in Task Manager: You can easily disguise yourself by setting a program as a "System Service".
A. Startup group class (that is, the file group that runs when the machine starts)
Of course, the Trojan will also start silently, and you certainly don’t expect the user to click every time it starts. "Trojan" icon to run the server, (no one would be so stupid). "Trojan horse" will automatically load the server every time the user starts. "Trojan horse" will use the method of automatically loading applications when the Windows system starts, such as: startup group, win.ini, system.ini, registry, etc. They are all good places for "Trojan horses" to hide. Load the Trojan through win.ini and system.ini. In Windows systems, the two system configuration files win.ini and system.ini are stored in the C:windows directory. You can open them directly with Notepad. You can achieve the purpose of automatic loading of Trojans by modifying the "load=file.exe, run=file.exe" statement in the windows section of the win.ini file. In addition, the boot section in system.ini is normally "Shell=Explorer.exe" (the graphical interface command interpreter of the Windows system). Let's talk about how the "Trojan" is automatically loaded.
1. In the win.ini file, under [WINDOWS], "run=" and "load=" are possible ways to load "Trojan horse" programs, and you must pay careful attention to them. Under normal circumstances, there is nothing after their equal signs. If you find that there is a path and file name that is not a startup file you are familiar with, your computer may be infected with a "Trojan horse". Of course, you have to look carefully, because many "Trojans", such as "AOLTrojan Trojan", disguise themselves as command.exe files. If you are not careful, you may not find that it is not a real system startup file.
Pass the c:windowswininit.ini file.
Many Trojan horse programs do some small things here. This method is often used during the installation process of files. After the program installation is completed, the file is executed immediately. At the same time, the original installed files are deleted by Windows, so the concealment is very strong. For example, in wininit.ini, if the Rename section has the following content: NUL=c:windowspicture.exe, this statement will send c:windowspicture.exe to NUL, which means that the original file pictrue.exe has been deleted, so it runs It's very hidden when you get up.
2. In the system.ini file, there is "shell=file name" under [BOOT]. The correct file name should be "explorer.exe". If it is not "explorer.exe" but "shell=explorer.exe program name", then the program following it is a "Trojan horse" program, which means that you have been hit by " Trojan horse".
The win.ini and system.ini files can be viewed through "Run" in the "Start" menu. Just enter "msconfig" in the "Run" dialog box and click the "OK" button. (Everyone must note here that if you do not know much about computers, please do not enter this command or delete the files inside, otherwise you will be responsible for all consequences and losses. Bamboo and I do not assume any responsibility.)
3. Check the files listed below frequently. Trojans may also be hidden in
C:\windows\winstart.bat and C:\windows\winnint.ini, as well as Autoexec.bat
B. Registry (registry is the registry, people who know computers will know it at a glance)
1. Load from the menu. If the automatically loaded file is added directly by customizing it on the Windows menu, it will generally be placed in the "Start-gt; Program-gt; Startup" of the main menu. The location in the Win98 Explorer is "C: windowsstartmenuprograms Start".
When files are loaded automatically in this way, they are generally stored in the following four locations in the registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserS!hellFolders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\UserShellFolders
HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\explorer\ShellFolders
2. The situation in the registry is the most complicated. Click to: "HKEY-LOCAL-MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" directory, Check the key value to see if there are any unfamiliar auto-start files with the extension EXE. Remember here: some "Trojan horse" programs generate files that are very similar to the system's own files, and you want to get past it by pretending, such as "AcidBatteryv1.0 Trojan" , it changes the Explorer key value under the registry "HKEY-LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" to Explorer="C:\WINDOWS\expiorer.exe", the "Trojan horse" program is different from the real Explorer The only difference between them is "i" and "l". Of course, there are many places in the registry where "Trojan horse" programs can be hidden, such as: "HKEY-CURRENT-USER\Software\Microsoft\Windows\CurrentVersion\Run", "HKEY-USERS\****\Software\Microsoft" \Windows\CurrentVersion\Run" directory. The best way is to find the file name of the "Trojan horse" program under "HKEY-LOCAL-MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", and then in the entire Just search in the registry.
3. In addition, at HKEY_CLASSES_ROOT\exefile\shell\open\command=
“1” and “*” in the registry, if “1” is modified into a Trojan horse , then the Trojan will start every time an executable file is started. For example, the famous Glacier Trojan changes the Notepad.exe of the TXT file to! Its own startup file, which will automatically start every time you open Notepad. Glacier Trojan is very stealthy.
The registry can be viewed by typing "regedit" in the Run dialog box. It should be noted that before deleting or modifying the system registry, you must back up the registry because there is a certain danger in registry operations. In addition, the Trojans are hidden, and there may be some misoperations. If errors are found, , you can import the backed up registry files into the system for recovery. (This command is also dangerous. If you don’t understand computers, please don’t try it.
Remember)
C. Port (port is actually the entrance for network data to enter the computer through the operating system)
1. There is always a way to start a Trojan horse. Only activated under a specific situation. So usually pay more attention to your port. The default ports of general Trojans are
BO31337, YAL1999, Deep2140, Throat3150, Glacier 7636, Sub71243
So how to check which ports are open on this machine?
Enter the following command in dos: netstat-an, and you can see your own port. Commonly used ports on the network are: 21, 23, 25, 53, 80, 110, 139. If your There are other ports, you should pay attention to them, because there are many Trojans that can set their own ports. (The ports of the above Trojans are from the past. Due to time and security issues, I don’t know the ports of many new Trojans now, and I dare not try them because the technology updates so fast that I can’t keep up. 55555555555555)
2. Since Trojans often run through network connections, if you find suspicious network connections, you can infer the existence of Trojans. The simplest way is to use the Netstat command that comes with Windows to check. Under normal circumstances, if you do not perform any Internet operations, you will not see any information using the Netstat command in the MS-DOS window. At this time, you can use "netstat-a" and the "-a" option to display all current statuses on the computer. The listening port. If an unknown port appears to be in the listening state and no network services are currently being operated, it is likely that a Trojan is listening on the port.
3. System process:
Press "CTL ALT DEL" in Win2000/XP to enter the task manager, and you can see all the processes running in the system one by one. The activity process of the Trojan can be found through inventory.
Under Win98, the method of finding a process is not so convenient, but there are some tools for finding processes. It is very simple and easy to detect Trojans by looking at system processes, but you must be familiar with the system, because when the Windows system is running, there are some processes running that we are not very familiar with, so you must be careful at this time. Trojans It can still be detected this way.
4. Introduction to software for detecting and killing Trojans
The above introductions all use manual methods to detect or remove Trojans, but in general, Trojans are not so easy to find. Trojans are Very good at hiding. Fortunately, there are already a lot of anti-Trojan software. Here are some softwares:
1. Rising anti-virus software.
2. Personal version of Skynet firewall. According to the principle of rebound Trojans, even if you are infected by someone else's Trojan, the Trojan client will not be able to connect to you because the firewall separates your computer from the outside world. After the firewall is activated, once a suspicious network connection or Trojan horse controls the computer, the firewall will alarm and display the other party's IP address, access port and other prompt information. After manual settings, the other party cannot attack. However, for some individual machines, running Skynet will affect the running speed of the machine.
3. Trojan star. As far as I know, it is a software that only detects and kills Trojans, and it is also the software that can detect and kill the most types of Trojans. As the name suggests, the wooden horse star cannot defeat the Qiankun Invincible Hammer nor the Beiming Hammer Technique, but it can defeat all kinds of wooden horses. But it's not absolute. It seems that "Gray Pigeon" can block the Trojans. (I heard that I have never tried it. "Gray Pigeon" is also a kind of Trojan, similar to Glacier.) (Most of the Trojans now are unregistered versions. When you use Trojans to check Trojans, if you are prompted to find that Trojans can only be registered by registered users Clearing is just a small trick of the author. In fact, what he means is that if a Trojan is found, only registered users can know it. If a Trojan is really found, the software will tell you the specific location and name of the Trojan.
We can just use other software and means to remove it)
4. Green Eagle PC universal elf. It will monitor your computer in real time and make you feel more comfortable looking at "system security".
With protection software like these, your computer is basically safe. But as high as the Tao is, so is the devil. Recently, a program has appeared that can disguise Trojans (I don’t know which master made it, it is very powerful), which is to generate multiple Trojans according to the arrangement and combination of Trojan bodies, and anti-virus software can only kill their parent bodies. . Then the generated Trojans cannot be found, so we still need to master some skills to manually remove the Trojans.
The software is very effective in killing other viruses, and it is quite successful in checking Trojans, but it is not ideal to completely remove them, because usually Trojans will be automatically loaded every time the computer is started, and virus killing software Software cannot completely remove Trojan files. Generally speaking, anti-virus software is more effective in preventing Trojan intrusions.
5. Defense against Trojans
With the popularization of the Internet and the trend of online game equipment being exchanged for RMB, the spread of Trojans is getting faster and faster, and new variants are emerging one after another. We are here While detecting and removing it, you should also pay attention to taking measures to prevent it. Here are several ways to prevent Trojans. (I’m just borrowing everyone’s opinions)
1. Do not download, receive, or execute any software or files of unknown origin
Many Trojan viruses are bound to other software or file to achieve spread. Once the bound software or file is run, it will be infected. Therefore, you need to pay special attention when downloading. It is generally recommended to go to some sites with higher reputation. Before installing the software, be sure to check it with anti-virus software. It is recommended to use software that specifically detects and kills Trojans to make sure it is virus-free and Trojan-free before use.
2. Do not open email attachments at will, and do not click on suspicious pictures in emails. (An additional example of email will be introduced later. Please pay attention.)
3. Configure the resource manager to always display extensions. Configure Windows Explorer to always display extensions. Some files with file extensions of vbs, shs, and pif are mostly signature files of Trojan viruses. If you encounter these suspicious file extensions, you should pay attention.
4. Use shared folders as little as possible. If you must set up your computer to be shared due to work or other reasons, it is best to open a separate shared file folder and put all the files that need to be shared in this shared folder. , be careful not to set the system directory to *share.
5. Run the anti-Trojan real-time monitoring program. An important point in preventing Trojans is that it is best to run an anti-Trojan real-time monitoring program when surfing the Internet. Software such as PC Universal Wizard can generally display all currently running programs in real time and have detailed description information. In addition, if you add some professional latest anti-virus software, personal firewall, etc. for monitoring, you can basically rest assured.
6. Upgrade the system frequently. Many Trojans attack through system vulnerabilities. Microsoft will release patches as soon as possible after discovering these vulnerabilities. In many cases, the patched system itself is the best way to prevent Trojans.
6. Individual examples of Trojan horse propagation (I will introduce you to an email type)
1. There are more and more attack methods from the Internet. Some malicious web pages with Trojan horses will Exploit security vulnerabilities in software or system operating platforms to forcibly modify user operations by executing JavaApplet small applications, javascript script language programs, and ActiveX software component interactive technology support automatically executable code programs embedded in the HTML hypertext markup language of web pages. The system's registry and system utility configuration programs can be used to illegally control system resources, destroy data, format hard drives, infect Trojan horse programs, and steal user data.
At present, there are two types of attacks from web pages: one is to modify the IE browser through edited scripts; the other is to directly damage the Windows system. The former will generally modify the title bar and default homepage of the IE browser or directly "plant" the Trojan horse in your machine, etc.; the latter will directly lock your keyboard, mouse and other input devices and then damage the system.
(Author's comment): Fortunately, the current "Trojan horse" function that steals thousands of usernames and passwords is just an act of theft and has not developed into an act of sabotage. Otherwise, the account will be stolen and the hard drive will be formatted by the way. It would be impossible to retrieve the password immediately. Hope this doesn't happen. (Ah, I am Amitabha Buddha)
The following is the main topic, please read carefully!
If there is a file that looks like this in the email attachment you receive (or it looks like this kind of file, in short, it is a very attractive file, and the format is very safe.): QQ Lianghao Broadcast .txt, do you think it must be a plain text file? Let me tell you, not necessarily! Its actual file name can be QQ Lianghao Broadcasting.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}.
{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B} means HTML file association in the registry. But it will not appear when you save it as a file name. What you see is a .txt file. This file is actually equivalent to QQ Lianghao Broadcasting.txt.html. So why is it dangerous to open this file directly? Please see if the content of this file is as follows:
You may think it will call Notepad to run, but if you double-click it, it will call HTML to run, and automatically start loading Trojans through the web page in the background document. Also displays a dialog box like "Opening file" to trick you. Do you think the danger of opening the .txt in the attachment at will is big enough?
Principle of deception: When you double-click this disguised .txt, since the real file extension is .{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}, which is a .html file, then it will Run as an html file, this is a prerequisite for it to run.
"WScript" is also called in some malicious web Trojans.
The full name of WScript is WindowsScriptingHost. It is a newly added function of Win98. It is a batch language/automatic execution tool - its corresponding program "WScript.exe" is a script language interpreter located in c:\WINDOWS, it is what allows the script to be executed, just like executing a batch process. In the WindowsScriptingHost scripting environment, some objects are predefined. Through several built-in objects it comes with, functions such as obtaining environment variables, creating shortcuts, loading programs, and reading and writing the registry can be achieved.
Recently, I have heard from many players that many grooms pretend to be the official website of Millennium and send them emails with names like "Your Millennium Password Confirmation Letter", "Your Millennium Data Protection Suggestions", etc. Deceive players' trust to click and run the Trojan email. We hope that when players click on this type of email, they must check whether the email comes from the official Millennium website. If it comes from any other website or personal mailbox, delete it immediately. Remember to delete it immediately and don't take any chances.
7. Defense against "Trojans" (Purely personal opinions, no legal liability)
Preventing Trojans is a very simple matter for surfing the Internet at home, it is nothing more than pretending to Plenty of anti-virus software, and updated in a timely manner.
(No matter how new the Trojan spreads, it will soon become a trophy of various anti-virus software, unless the person specially customizes a personal Trojan) In addition to the Skynet firewall (many hackers use passwords and loopholes for remote control, this firewall can Preventing password and vulnerability intrusions) can basically solve the problem. Unless you are curious or accidentally open the Trojan server, I think this situation still accounts for a certain proportion!
But for those who surf the Internet in Internet cafes, no matter how good the defense is, it is useless.
As far as I know, the current safety factor of Internet cafes is almost equal to 00000000. The most powerful thing now should be to pretend to be the "original elf bar", but... I personally think that thing is not useful It is very big. It is better to say that it protects user passwords than it is a software for protecting the system of Internet cafes. Today's Trojans generally transmit passwords via email. That is to say, as long as you enter your password in the input box, the Trojan controller will have obtained your ID and password (generally no more than three minutes)! For friends who surf the Internet in Internet cafes, it is safest to enter ID and password by copying. Many Trojan horse programs are actually keylogging tools, which record all your keyboard input without your knowledge. Then send it over the Internet! (It’s so scary, but as far as I know, the Ministry of Public Security and the Ministry of Culture have banned the installation of restore wizards in Internet cafes, saying that it is to preserve historical records. Alas~~ Even these little defensive measures have been blocked, crying)
In short, home Internet users should remember to update their virus database at any time, check computer processes at any time, kill any unknown processes immediately, and do not browse some unknown sites (I usually rely on domain names to analyze the reliability of the site, generally There will be no malicious code or web Trojans in the first-level domain name), let alone accept files and emails sent to you by others at will!
It is really difficult to prevent theft in Internet cafes. Everyone has it. It is complicated. Even if the boss spends money to register a Trojan star, haha. . . It’s useless, anyone who wants to do bad things can also kill him~~~~ I personally think that apart from copying the ID and password and pasting them into the input box when surfing the Internet, you have to leave the rest to fate~~~~~
8. Explanation on Zuiwengxiang 1.1G that everyone uses
If you use other people’s software, you always have to speak out for them. Some time ago, someone said that there was no response after running the Zuiweng 1.1G software. When closing the software, some protective software prompts: This software is monitoring the keyboard of this machine! !
In fact, it is the hook.dll file in Drunkard Alley that is causing trouble. Now let me tell you about my problem with "Hook".
What is a hook?
In Windows systems, hooks are a special message processing mechanism. Hooks can monitor various event messages in the system or process, intercept messages sent to the target window, and process them. In this way, we can install custom hooks in the system, monitor the occurrence of specific events in the system, and complete specific functions, such as intercepting keyboard and mouse input, screen word capture, log monitoring, etc. It can be seen that many special and useful functions can be achieved by using hooks. Therefore, it is necessary for advanced programmers to master the hook programming method.
Types of hooks
Classified by scope of use, mainly include thread hooks and system hooks
(1) Thread hooks monitor events of specified threads information.
(2) The system hook monitors the event messages of all threads in the system. Because system hooks will affect all applications in the system, the hook function must be placed in an independent dynamic link library (DLL). This is the big difference between system hooks and thread hooks.
The hook.dll in Drunkard Alley is the program that completes the above functions. Due to the special nature of the hook, some software will report that it is recording keyboard actions, but it will not report that it is recording keyboard actions. It's a Trojan horse. (Haha, it’s really scary.
But even if it records keyboard actions, there is not much danger as long as it is not sent)
9. Summary (that is, the summary of the above)
Everyone knows the "Trojan horse" The working principle of "Trojan" makes it easy to detect and kill "Trojans". If a "Trojan" is found, the safest and most effective way is to immediately disconnect the computer from the network to prevent hackers from attacking you through the network. Then deal with it according to the actual situation.