檢測木馬方法
1. Autostart folder
Everything in here will restart.
C:\windows\start menu\programs\startup {english}
C:\windows\Menu D幦arrer\Programmes\D幦arrage {french}
This Autostart Directory is saved in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders Startup="C:\windows\start menu\programs\startup"
'So it could be easily changed by any program.
2. Win.ini
[windows]
load=file.exe
run=file.exe
3. System.ini [boot]
Shell=Explorer.exe file.exe
4. c:\windows\winstart.bat
'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts
everytime
5. Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
6. c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example: (content of wininit.ini)
[Rename]
NUL=c:\windows\picture.exe
'This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This
requires no interactivity with the user and runs totaly stealth.
7. Autoexec.bat
Starts everytime at Dos Level.
8. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*",
the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
Known as Unkown Starting Method and is currently used by Subseven.
9. Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.
10. Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
@="Scrap object" "NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs
including Explorer.
Your registry should be full of NeverShowExt keys, simply delte the key to get the real
extension to show up.
 |
回覆時引用此文章
書籤