Any viruses and Trojan horses exist in the system, and processes can not completely break off relations, even with hidden technology, but also was able to find clues from the process, therefore, view the process of becoming active in the system that we detect viruses, Trojan horses of the most direct method. However, the system processes to run so much, what is the normal system process, which is the Trojan process, and often the fake Trojan virus system process in the system, what role do they play? See this article.
The virus hides the process of three methods
When we have confirmed the virus present in the system, but through "Task Manager" View system processes Shi You can not find strange the process, indicating the virus used a number of hidden measures, summed up with three methods:
1. Confused as real ones
System, the normal process is: svchost.exe, explorer.exe, iexplore.exe, winlogon.exe, etc., maybe you found the existence of such a process system: svch0st.exe, explore.exe, iexplorer.exe, winlogin.exe . Compare found differences begin? This is a virus commonly used tactic aimed at confusing the user's eyes. Usually they will be the normal process of the system o change the name of 0, l replaced by i, i replaced by j, and then became its own process name, just one word, the meaning is completely different. Or more or less a one letter alphabet, such as explorer.exe and iexplore.exe already easy to confuse, again a iexplorer.exe even more confused. If the user is not careful, generally ignored, and the virus process is dodged a bullet.
2. Perpetrating a fraud
If the user more cautious, then the above, this mode of no use, and the virus will be Jiudezhengfa. Ever since, the virus has to wise up, and learned that replacing this trick. If a process named svchost.exe, and normal system process name Folks. Well, this process is not on the safe out? Definitely not, in fact it is only the use of the "Task Manager" can not view the process of the executable file corresponding to this defect. We know that svchost.exe process, the corresponding executable file is located in "C: WINDOWSsystem32" directory (Windows2000 is C: WINNTsystem32 directory), if the virus copies itself to "C: WINDOWS" in and renamed the svchost.exe, to run , we in the "Task Manager" is also seen in svchost.exe, and normal system process is no different. Can you identify which of the virus's process?
3. Reincarnated
In addition to the two above methods, the virus, there is still one ultimate Dafa - reincarnated. The so-called zombie virus is inserted using a process technology, the required dll files to run the virus into the normal system process, on the surface without any suspicious circumstances, in essence, the virus has been controlled system process, and unless we help the process of professional detection tool, or want to find the virus hidden in them is very difficult.
System Process FAQ
Mentioned above, a lot of system processes, in the end, what is the process of these systems, their operation principle, then what is? Here we will explain each of these systems process, I believe in the familiar process of these systems, the virus will be able to successfully break the "confused as real ones "and" perpetrating a fraud "of the.
svchost.exe
Often the process who have the virus, posing as: svch0st.exe, schvost.exe, scvhost.exe. With the growing number of Windows system services, in order to save system resources, Microsoft has made many services share the way, by the svchost.exe process to start. The system service is a dynamic-link library (DLL) form of realization, they point to the executable program scvhost, call the appropriate service from the cvhost dynamic-link library to start the service. We can open the "Control Panel" → "Administrative Tools" → service, double-click them "ClipBook" service in its property panel can be found in the corresponding executable file path "C: WINDOWSsystem32clipsrv.exe". And then double-click the "Alerter" service, you can find the executable file path "C: WINDOWSsystem32svchost.exe-k LocalService", and "Server" service's executable file path "C: WINDOWSsystem32svchost.exe-k netsvcs". It is through this call, you can save a lot of system resources, so the system appears in multiple svchost.exe, is only the system services only.
Normally exist in the Windows2000 system, svchost.exe process, one RPCSS (RemoteProcedureCall) service process, while the other is shared by many services, one svchost.exe; while in WindowsXP, then in general there are more than 4 svchost.exe service process. If the system xp and before the number of svchost.exe processes more than five, we must be careful, there may be a fake virus. But by the Vista and Windows7 age ,8-12 svchost process is normal! Whether the normal process for the system test method is very simple, using some process management tools, such as Vista optimized master's process management functions, see svchost.exe in executable file path, if the "C: WINDOWSsystem32" directory outside, it can be determined that the virus has.
No comments:
Post a Comment