檢測木馬的方法~~參考看看吧~~



贊助商連結


winson
2001-03-22, 12:51 AM
檢測木馬方法

1. Autostart folder
Everything in here will restart.
C:\windows\start menu\programs\startup {english}
C:\windows\Menu D幦arrer\Programmes\D幦arrage {french}
This Autostart Directory is saved in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders Startup="C:\windows\start menu\programs\startup"
'So it could be easily changed by any program.

2. Win.ini
[windows]
load=file.exe
run=file.exe

3. System.ini [boot]
Shell=Explorer.exe file.exe

4. c:\windows\winstart.bat
'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts
everytime

5. Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example: (content of wininit.ini)
[Rename]
NUL=c:\windows\picture.exe
'This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This
requires no interactivity with the user and runs totaly stealth.

7. Autoexec.bat
Starts everytime at Dos Level.

8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"

The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*",
the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.

9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

10. Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""

The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs
including Explorer.
Your registry should be full of NeverShowExt keys, simply delte the key to get the real
extension to show up.

贊助商連結


tsungchi
2001-03-22, 01:01 AM
嗯~嗯
假如防毒軟體掃到木馬or病毒無法隔離(或出現檔案正在使用中)
或重開機會出現找不到xxx檔案,那就到這些檔案和regedit裡面去殺吧~~!!
還有我還遇到過執行檔案後會在你的autoexec.bat裡偷偷寫入format
~~@@可怕吧
ㄏㄏ~還是被我裝的lockdown2000抓到了

srobin
2001-04-27, 10:37 AM
原始作者是 : winson
檢測木馬方法

10. Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""

The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs
including Explorer.
Your registry should be full of NeverShowExt keys, simply delte the key to get the real
extension to show up.


不好意思站長.....對於這個最後的解決方式我有點搞不懂,我已經找到這個[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""
不過沒有【@="Scrap object"】這一行......請問這是寫在【"NeverShowExt"=""】這後面的還是什麼.....不懂耶....
比較笨一點.......麻煩大大能夠講解一下.....Thanx.....

Monkeykuo
2001-04-28, 07:02 AM
lockdown2000 ver 5-7...沒啥用...
change port still can get hacked by trojan...
and trojan list is limited...
Zonealarm is a little better, it block all ports, but still.....can get hacked.


Active X 也可以放木馬喔!!

ROACH
2001-05-02, 11:33 PM
介紹大家一套專門掃木馬的軟體
在市面上一些害客的書~也有介紹喔

The Cleaner
http://dynamsol.ulink.net/files/cleaner3.exe

它還可以隨時更新木馬的碼~~以便找到更多ㄉ木馬

大家用用看吧

win98
2001-05-03, 02:54 AM
不好意思站長.....對於這個最後的解決方式我有點搞不懂,我已經找到這個[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""
不過沒有【@="Scrap object"】這一行......請問這是寫在【"NeverShowExt"=""】這後面的還是什麼.....不懂耶....
比較笨一點.......麻煩大大能夠講解一下.....Thanx..... [/B][/QUOTE]
好像是醬子,你參考看看
(預設) "Scrap 物件"
舉例
NeverShowExt "" 所有檔案的付檔名都不被隱藏起來
NeverShowExt "shs" 所有付檔名.shs都會被隱藏起來