ASP Trojan is a website program written in ASP. It can run as long as the space can run ASP, so it makes it difficult for ASP Trojans to be discovered. So how should we prevent ASP Trojans? Let's take a look at the specific content now.
Modify three components to prevent asp Trojan attacks.FileSystemObject component--does regular operations on files.WScript.Shell component--can call the system kernel to run DOS commands.Shell.Application component--can call the system kernel to run DOS commands.
1. Use FileSystemObject component
1. You can prevent the harm of such Trojans by modifying the registry and rename this component.
HKEY_CLASSES_ROOT/Scripting.FileSystemObject/ is renamed to other names, such as: change to FileSystemObject_good and use this component to call it normally.
2. Also change the clsid value. HKEY_CLASSES_ROOT/Scripting.FileSystemObject/CLSID/item value can be deleted to prevent the harm of such Trojans.
3. Log out of this component command: RegSrv32 /u C:/WINNT/SYSTEM/scrrun.dll If you want to recover, you only need to remove /U to re-register the above related ASP components.
4. Prohibit Guest users from using scrrun.dll to prevent calling this component command:
cacls C:/WINNT/system32/scrrun.dll /e /d guests
2. Use WScript.Shell component
1. You can prevent the harm of such Trojans by modifying the registry and rename this component.
HKEY_CLASSES_ROOT/WScript.Shell/ and HKEY_CLASSES_ROOT/WScript.Shell.1/ are renamed to other names, such as: change to WScript.Shell_ChangeName or WScript.Shell.1_ChangeName
You can call this component normally when you call it in the future
2. Also change the value of clsid HKEY_CLASSES_ROOT/WScript.Shell/CLSID/item value HKEY_CLASSES_ROOT/WScript.Shell.1/CLSID/item value
It can also be deleted to prevent the harm of such Trojans.
3. Use the Shell.Application component
1. You can modify the registry and rename this component to prevent the harm of such Trojans.
HKEY_CLASSES_ROOT/Shell.Application/ and HKEY_CLASSES_ROOT/Shell.Application.1/ are renamed to other names, such as: change to Shell.Application_ChangeName or
Shell.Application.1_ChangeName
You can call this component normally when you call it in the future
2. Also change the value of clsid HKEY_CLASSES_ROOT/Shell.Application/CLSID/item value HKEY_CLASSES_ROOT/Shell.Application/CLSID/item value
It can also be deleted to prevent the harm of such Trojans.
3. Prohibit Guest users from using shell32.dll to prevent calling this component command:
cacls C:/WINNT/system32/shell32.dll /e /d guests
4. Call cmd.exe
Disable the Guests group user to call the cmd.exe command:
cacls C:/WINNT/system32/Cmd.exe /e /d guests
V. Treatment of other hazardous components:
Adodb.stream (classid:{00000566-0000-0010-8000-00AA006D2EA4})
WScript.Network(classid:093FF999-1EA0-4079-9525-9614C3504B74)
WScript.Network.1 (classid:093FF999-1EA0-4079-9525-9614C3504B74)
Generally speaking, the above components will not be achieved. Delete it directly. If some web page ASP programs use the above
For components of , just use the component name we changed when writing ASP code to use it normally. Of course if
If you are sure that the above components are not used in your ASP program, you should just delete them and feel more at ease.
Quick Delete Method:
Start--Run-Regedit, open the registry editor, press Ctrl+F to find, enter the above one in turn
The name of the component such as Wscript.Shell and the corresponding ClassID, and then delete or change the name.
The above is the new editor to introduce to you the methods to prevent ASP Trojans. You can practice it yourself to see if it will achieve the expected results.