|
What is a Trojan Horse?
By Doug Chick
 For those of you that were never told the story of Greek mythology
about a giant wooden horse that was presented as a gift, inside the horse were soldiers in
hiding, waiting to leap out and take the city. In the computer world, a Trojan horse is a
program that opens up a back door to your computer so that the program’s creator can
leap out and, well you know. How do most of these Trojan horse programs get on your
computer in the first place? They are imbedded into all those free programs that you
download from the Internet. You know, free port scanning software, network-analyzing
software, and anything someone might think valuable, sneaky little devils. You install the
software for them. Listed below are the most common loading points for a Trojan. Most
successful invasions into your system are implemented with your help. So remember, no one
gives away anything for free without their being an underlying motive.
Listed below are the most common loading
points for a Trojan horse program.
 Autoexec.bat
Programs can load from anywhere in this file. Be especially suspicious of files that name
themselves similar to legitimate DOS or Windows file names. For example, Command.bat and
Explore.exe. The Autoexec.bat file is not commonly used to load Trojans.
Win.ini
[windows]
load=
run=
Programs loading from the Win.ini file will generally be loaded from the load= or run=
lines in the [WINDOWS] section. Beware of files that load from here but are off at the end
of the line. The line may be very long and can scroll off the right edge of the window. Be
on the lookout for scroll bars at the bottom of the window. This will indicate that there
is something off the edge of the field of view. Scroll to the right and make sure there is
nothing there.
System.ini
[boot]
shell=explorer.exe
On the shell= line in the [boot] section of the System.ini file there can be up to two
entries. Therefore, it is possible to throw a second executable file on this line and have
it load up with the shell. Other things to look for here are a scroll bar on the bottom
(implying that there is more text off to the right that you are not able to see) and a
second executable name, such as Trojan.exe.
Winstart.bat
Programs can be loaded at any location in this file. On startup, the system will look
through the entire path for the Winstart.bat file. If it exists it will be run just like
any other batch file.
NOTE: This file does not exist on all systems, and very often there will not be
one.
StartUp folder
This folder resides under the "\Windows\Start Menu\Programs" folder. To access
this folder, right-click the Start button, click Open, and then double-click the Programs
folder. Here you will find the StartUp folder. Anything in this folder will automatically
run when Windows starts after user login.
Registry
CAUTION: We strongly recommend that you back up the system registry before making
any changes. Incorrect changes to the registry could result in permanent data loss or
corrupted files. Please make sure you modify only the keys specified.
There are several places that files can load from the registry. Some of the most common
ones are listed here:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunservicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrenVersion\RunServicesOnce
HKEY_CLASSES_ROOT\exefile\shell\open\command
|
|
E-mail
your comments to dougchick@thenetworkadministrator.com