With the MS operating system from Win98 to the transition Winnt system (including 2k/xp), MS of the Task Manager has changed all of a sudden, the eyes that make up (in the tradition of horse under the WINNT no longer be able to hide its own process), which makes In the past, under win98 by the registration process for the system will be able to service from the Task Manager of the stealth Trojan facing an unprecedented crisis, the Trojan horse of the developers adjusted in a timely manner the development of ideas and this is why we have today to discuss how to remove embedded dynamic DLL Trojan article.
First of all, let's find out what is the dynamic embedded Trojan, the NT system in order to be able to continue to hide the process, developers of the Trojan began using DLL (Dynamic Link Library dynamic link library) files, they are just beginning to write their own horse DLL form of a replacement system Win Socket1.x responsible for the function call wsock32.dll (Win Socket2 in charge of the WS2_32.DLL), so that through the agreement on the operation and function of unknown function of the transponder (DLL Trojan replacement when wsock32.dll It will be renamed in order to achieve the function forward in the future) to achieve the remote control. However, with the MS digital signature technology and file recovery out of this DLL Ma life has become weak, so the developer's efforts under the current mainstream horse - embedded dynamic DLL Trojan, Trojan DLL will be embedded in That the system is running in the process. Explorer.exe, svchost.exe, smss.exe, and so can not be the end of the system is the key to the process of DLL's favorite horse, so in this Task Manager will not appear in our DLL file, and DLL is our carrier EXE file. Of course, further processing DLL Trojans can achieve some of the other ports, such as hijacking / multiplexing (that is, the so-called free port), registered as a service, the protection of multi-threaded, and other functions. In short, is the Trojan DLL reached an unprecedented level of concealment.
So how are we going to find and remove this Trojan DLL?
One from the DLL Trojan DLL files to start, we know that system32 is a good place to hide and seek, many of the horses are削尖了脑袋Lizuan section begins and ends, DLL Ma is no exception, for it can be installed in the system and the necessary application , The directory of the EXE and DLL files for a record: running CMD - conversion to the directory system32 - dir *. exe> exeback.txt & dir *. dll> dllback.txt, so all the EXE and DLL files Names were recorded exeback.txt and dllback.txt, in the future, such as abnormal, but with traditional methods could not, he has to consider is the system has been a Trojan horse into the DLL. This is the same command System32 will be under the EXE and DLL files to another record of exeback1.txt and dllback1.txt, and then run CMD - fc exeback.txt exeback1.txt> diff.txt & fc dllback.txt dllback1.txt> diff.txt. (FC with the order before and after comparison of the two EXE and DLL files, and the results entered into in diff.txt), so that we can find some more out of the EXE and DLL files, and then to see through the creation of time, version, whether the compressed And so on will be able to easily determine not to patronize has been a Trojan DLL. Is not the best, if any, do not fall directly DLL, we can put it moved to the Recycle Bin, if no abnormal response system thoroughly and then delete or submitted to the antivirus software company.
Second, some of the systems mentioned above have the key to the process of this kind is a favorite horse, so we suspect that once the system has entered a DLL Trojan horse, of course, we must focus on these key processes to take care of the exhibition put together tarsus playing air Einsteinium crop-full-ping Huan Luan great to see Japanese-resistant shoot gunsぞacridineぞTi rocedump.exe he can help you see in the end the process of calling those DLL file (Figure 1), but the process of calling some of the DLL file is very large, to make on our own A reality check is not changed, so we used a shotgun to write the process of NT / viewer memory modules ps.exe, with an order ps.exe / a / m> nowdlls.txt the current system to call all the DLL files to To preserve the name of nowdlls.txt, and then we use fc to back up prior to the dllback.txt comparison, this can also narrow the scope of the investigation.
Third, remember that one of the characteristics of the horse's port you? All the horses for as long as the connection, as long as it is to accept / send data is bound to open the port, DLL Trojan is no exception, which we also found that they provided a clue that we can use the port to see the process of foundstone tool to see Fport.exe Port and the corresponding process, which can narrow the scope of the specific process, and then combined to find Procedump Trojan DLL on a relatively easy. Of course, as mentioned above, some horse will reusability port, or the taking of the port's approach to communications, 139,80,1443, such as the port is a common love of horses. Even if the user even if the use of port scanning software, check their ports, is also found in similar TCP UserIP: 1026 ControllerIP: 80ESTABLISHED, a little bit negligent, you would think that it is in their own website (the firewall will not think so.) So look at the port were not enough, we have to monitor the communications of the port, which is the fourth point I would like to.
Fourth, we can use the sniffer to see the port to open in the end what the transmission of data. By NIC promiscuous mode can be set to accept all of the IP packet, sniffer program can choose from some of the concern for analysis, is nothing more than the rest of the RFC in accordance with the agreement on the document to decode. This Trojan can use the port, combined with Fport and Procedump we will be able to find a Trojan horse to the DLL. As for the personal recommendation of the use of sniffer IRIS, graphical interface easier to use.
Fifth, usually killing Trojan said, we will habitually registry to take a chance that in the past may be quite effective, but if registered as a service across the Trojans (Principle: NT/2K/XP in these systems, the system Will start to load the specified service program) at this time check: Start / registry / autoexec.bat / win.ini / sysytem.ini / wininit.ini / *. inf (such as the autorun.inf) / config.sys, and so on Documents can not be found on any of the strange, at this time we should look at the system: Right-click My Computer - Management - applications and services - services, then you'll see more than 100 services, (MS It is also, of which 75% of unwanted individuals can be prohibited.) Gradually find it to see who is not pleasing to the eye they carry it out:) Of course, if you have previously used to export a list of features of the service back up, then Document comparison with the method would be very easy to find what is foreign-off, then you can record the service that is loaded, and then use the Resource Kits in offered srvinstw.exe to remove the service and removal of the load file .
Through more than five, can be found in the basic and clear the crafty dynamic embedded Trojan DLL, you may also find that if properly done some back-up, we will find the Trojan horse of course of great help, of course, will alleviate a lot of Oh, the pressure of work. |
