Where are viruses hiding on the server?

One type of malware is a Trojan horse. A Trojan horse is a virus program based on remote control. This program is very secretive and dangerous. She can control you or monitor you without anyone noticing. Some say that since the Trojan horse is so strong, you should stay away from it! Hurry up and check if there is a Trojan horse or other virus on your computer, maybe it is causing problems in the "house"! The following are the hidden locations of viruses on the server, including Trojan horses. After reading, don't forget to pick up unique tricks to deal with this damage!

1. Integration into the program

In fact, a Trojan is also a server-client program. To prevent users from easily removing it, it is often integrated into the program. The Trojan is hardwired to a particular application. The malware can have broad powers, such as uploading to a server or overwriting original files. So even if the trojan is removed, as long as the application associated with the trojan is running, the trojan will be installed again. If it is tied to a specific application program, such as a system file, the Trojan horse will run when loaded into a system file each time Windows starts.

2. Configuration file

Most people usually use a GUI operating system, most configuration files that are no longer important are ignored, which is exactly what provides a haven for a Trojan horse or any other virus. And with the help of a special function of the configuration file, a Trojan horse can easily launch and infiltrate any computer, thereby spying or controlling everyone. However, this method is not very hidden and easy to find, so Trojans are rarely loaded into Autoexec.bat and Config.sys, but this should not be taken lightly.

3. Integration in Win.ini

If a Trojan horse wants to control a computer, it should work, but no one would be stupid enough to run this Trojan horse on their own computer. Therefore, malware must find a safe place and can be launched automatically at system startup, which is why it hides in Win.ini. You can open Win.ini to have a look. In its [windows] field there are "load=" and "run=" run commands. As a rule, after "=" there is a space. If, for example, the program looks like this: run=c:\windows\file.exe load=c:\windows\file.exe, then you need to be careful, this file.exe is probably a Trojan horse.

4. Disguise as a regular file

This method came about relatively late and is now very popular, and it is easy to fool unskilled Windows operators with it. The method is to mask the executable under an image or text.

5. Integration into the registry

Due to the complexity of the registry, Trojan horses often like to hide here. Some malware modifies Windows registry keys to set up a space between "autoruns" or to ensure that malware runs every time the operating system is started. Malicious programs change registry keys to stay online all the time.

6. Integration in System.ini

System.ini in the Windows installation directory is also where Trojan horses like to hide. Open this file to see how it differs from regular files. Does the [boot] field of this file contain content such as shell=Explorer.exe file.exe. If there is such content, then you are out of luck, because file.exe here is a Trojan server program! Also, in the [386Enh] field in System.ini, note the "driver=path\program name" check in this section, which can also be used by Trojan horses. Also, it is important to consider three fields - [mic], [drivers] and [drivers32] in System.ini. These sections also play the role of downloading drivers, and are also a good place to add Trojans.

7. Temp folders

The operating system contains a set of temporary folders that range from internet cache to application data, and is a common landing site for viruses when cybercriminals gain access to the system through phishing, exploits, rootkits, or other methods. Malicious programs can use temporary folders as a launching pad for immediate execution or privilege escalation, and other modes to create many other strongholds on a company's network.

8. LNK files

LNK files, also known as "shortcuts", can contain a direct path to a ransomware website or, more dangerously, an executable file. Most likely, many of them are installed on the desktops of your employees for quick access to frequently used web applications and other tools.

9. Word files

Many cybercriminals use Microsoft Office VBA to insert ransomware into macros in Word documents.

Malware Prevention Suggestions

1. Try to use complex passwords on the server. Try using a combination of uppercase and lowercase letters, numbers, and special characters for your login password, and keep the password long enough. At the same time, add a security policy to limit the number of failed login attempts and change your login password regularly.

2. Remember that you cannot use the same or similar passwords to log in to multiple computers.

3. It is recommended to carry out regular isolated backups of important data. Please note that this is an isolated backup and should not be created on the same network as this could lead to shared encryption of the backup server in a ransomware attack.

4. Fix system vulnerabilities in a timely manner, and do not ignore security patches for various frequently used services.

5. Close unnecessary services and ports such as 135, 139, 445, 3389 and other high risk ports.

6. Strictly control the permissions of shared folders and make the most of cloud collaboration in those parts where you need to share data.

7. Raise security awareness, do not click on unfamiliar links or email attachments from unknown sources, conduct a security scan before clicking or launching, and try to download and install software through official channels.

Mainton Company - custom software development and testing, SEO and online advertising since 2004.

PENTEST SAFETY HACKED? ARTICLES VACANCIES