问题解决--如何检测我们的系统里面存在木马程序
<P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">首先,查看</SPAN><SPAN lang=EN-US>system.ini</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</SPAN><SPAN lang=EN-US>win.ini</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、启动组中的启动项目。由“开始→运行”,输入</SPAN><SPAN class=SpellE><SPAN lang=EN-US>msconfig</SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">,运行</SPAN><SPAN lang=EN-US>Windows</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">自带的“系统配置实用程序”。</SPAN> <SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">第一步我们可以查看</SPAN><SPAN lang=EN-US>system.ini</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">文件,选中“</SPAN><SPAN lang=EN-US>System.ini</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”标签,展开</SPAN><SPAN lang=EN-US></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">目录,查看“</SPAN><SPAN lang=EN-US>shell=</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”这行,正常为“</SPAN><SPAN lang=EN-US>shell=Explorer.exe</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”,如果不是这样,就可能中了木马了。</SPAN><SPAN lang=EN-US><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">第二步就是查看</SPAN><SPAN lang=EN-US>win.ini</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">文件,选中</SPAN><SPAN lang=EN-US>win.ini</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">标签,展开</SPAN><SPAN lang=EN-US></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">目录项,查看“</SPAN><SPAN lang=EN-US>run=</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”和“</SPAN><SPAN lang=EN-US>load=</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”行,等号后面正常应该为空。</SPAN><SPAN lang=EN-US><o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">第三步就是查看启动组,看看启动标签中的启动项目,有没有什么非正常项目?要是有<SPAN class=GramE>象</SPAN></SPAN><SPAN class=SpellE><SPAN lang=EN-US>netbus</SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</SPAN><SPAN class=SpellE><SPAN lang=EN-US>netspy</SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</SPAN><SPAN class=SpellE><SPAN lang=EN-US>bo</SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">等关键词,极有可能就是木马了。</SPAN><SPAN lang=EN-US><o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">我们一般都将启动组中的项目保持在比较精简的状态,不需要或无大用途的项目都屏蔽掉了。只是选中了与注册表检查、音量控制、输入法和能源保护相关的启动栏。到时要是有木马出现,自是一目了然。</SPAN> <SPAN lang=EN-US><o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">第四步就是查看注册表,由“开始→运行”,输入</SPAN><SPAN class=SpellE><SPAN lang=EN-US>regedit</SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">,确定就可以运行注册表编辑器。再展开至:“</SPAN><SPAN lang=EN-US>HKEY-LOCAL-MACHINE\Software\ Microsoft\ Windows\<SPAN class=SpellE>CurrentVersion</SPAN>\Run</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”目录下,查看键值中有没有自己不熟悉的自动启动文件项目,比如</SPAN><SPAN class=SpellE><SPAN lang=EN-US>netbus</SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</SPAN><SPAN class=SpellE><SPAN lang=EN-US>netspy</SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</SPAN><SPAN class=SpellE><SPAN lang=EN-US>netserver</SPAN></SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">等的单词。注意,有的木马程序生成的服务器程序文件很像系统自身的文件,想由此伪装蒙混过关。比如</SPAN><SPAN lang=EN-US>Acid Battery</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">木马,它会在注册表项“</SPAN><SPAN lang=EN-US>HKEY-LOCAL-MACHINE\SOFTWARE\Microsoft\Windows\ <SPAN class=SpellE>CurrentVersion</SPAN>\Run</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”下加入</SPAN><SPAN lang=EN-US>Explorer=</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">“</SPAN><SPAN lang=EN-US>C:\Windows\expiorer.exe</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”,木马服务器程序与系统自身的真正的</SPAN><SPAN lang=EN-US>Explorer</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">之间只有一个字母的差别!</SPAN> <SPAN lang=EN-US><o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">然后我们通过类似的方法对下列各个主键下面<SPAN class=GramE>的键值进行</SPAN>检查:</SPAN> <SPAN lang=EN-US><o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN lang=EN-US>HKEY-LOCAL-MACHINE\Software \Microsoft\Windows\<SPAN class=SpellE>CurrentVersion\RunOnce</SPAN> <o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN lang=EN-US>HKEY-LOCAL-MACHINE\Software\ Microsoft\Windows\<SPAN class=SpellE>CurrentVersion\RunOnceEx</SPAN> <o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN lang=EN-US>HKEY-LOCAL-MACHINE\Software\ Microsoft\Windows\<SPAN class=SpellE>CurrentVersion\RunServices</SPAN> <o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN lang=EN-US>HKEY-LOCAL-MACHINE\Software\ Microsoft\Windows\<SPAN class=SpellE>CurrentVersion\RunServicesOnce</SPAN> <o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">如果操作系统是</SPAN><SPAN lang=EN-US>Windows NT/2000</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">,还得注意</SPAN><SPAN lang=EN-US>HKEY-LOCAL-MACHINE\Software\ SAM</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">下面的内容,如果有项目,那极有可能就是木马了。正常情况下,该主键下面是空的。当然在注册表中还有很多地方都可以隐藏木马程序,上面这些<SPAN class=GramE>主键是木马</SPAN>比较常用的隐身之处。除此之外,<SPAN class=GramE>象</SPAN></SPAN><SPAN lang=EN-US>HKEY-CURRENT-USER\Software\Microsoft\ Windows\<SPAN class=SpellE>CurrentVersion</SPAN>\Run</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</SPAN><SPAN lang=EN-US>HKEY-USERS\****\Software\Microsoft\Windows\Current Version\Run</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的目录下都有可能成为木马的藏身之处。最好的办法就是在</SPAN><SPAN lang=EN-US>HKEY-LOCAL-MACHINE\Software\ Microsoft\Windows\ <SPAN class=SpellE>CurrentVersion</SPAN>\Run</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或其他主键下面找到木马程序的文件名,再通过其文件名对整个注册表进行全面搜索就知道它有几个藏身的地方了。</SPAN><SPAN lang=EN-US><o:p></o:p></SPAN></P><P class=MsoNormal style="TEXT-INDENT: 21pt"><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">如果有留意,你会发现注册表各个<SPAN class=GramE>主键下都会</SPAN>有个叫“</SPAN><SPAN lang=EN-US>(</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">默认</SPAN><SPAN lang=EN-US>)</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”名称的注册项,而且数据显示为“</SPAN><SPAN lang=EN-US>(</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">未设置键值</SPAN><SPAN lang=EN-US>)</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">”,也就是空的,这是正常现象。如果发现这个<SPAN class=GramE>默认项被替换</SPAN>了,那么替换它的就是木马了。</SPAN></P> 是真对WINDOWS XP PRO....来说的吗?Re:问题解决--如何检测我们的系统里面存在木马程序
老大辛苦!乐天来此一游~~~
页:
[1]