UDP the Trojan trek-vulnerability warning-the black bar safety net

ID MYHACK58:62200611119
Type myhack58
Reporter 佚名
Modified 2006-08-16T00:00:00


| Current in the network upstream of the blow-by modus the Trojans are usually use the TCP port for remote control, but this Trojan for a bit of network security awareness of friends is very easy to be found. Cunning intruders in the face of this situation, developed using UDP port of the Trojan, this Trojan is hidden excellent, not easy to be found. This article is to introduce the author processing UDP Trojan unwary children, for everyone to provide a little reference.

One, the case description

After boot, as long as my dial-up Internet access, the network firewall will pop up a prompt window asking whether to allow“Internet Explorer”connect to the network. I'm from the prompt box of the“address”column also confirmed is indeed the IE browser the process requires access to the Internet, can I access never only with Maxthon on. The original thought is that the system itself is the problem, then restart the system, but when I dial-up Internet access soon after, the IE browser will require access to the Internet. The system a thorough Virus scan, the results found nothing.

Second, the root tunneling Port to find the clues

Although antivirus software is not scanning out the results, but I faintly feel this behind the scenes black hand could be a Trojan horse because malware is not on whether the system is networked to judge, and many a Trojan will have this feature, the reason for not to be killed may be because it is a brand new Trojan horse program, it could be an intruder for a feature code to modify thefree to killoperation.

Again, dial-up Internet access, the firewall and the emergence of the IE browser connected to the Internet request. Run the Trojan auxiliary Finder(下载 地址 http://www.ysye.com/soft/446.html), this is a can assist the user to a malicious program to check of tools Figure 1)。 Click on the“port information”option, where users can not only see what ports are open use, you can also see what are the process to open these Swiss population, so as to facilitate the user according to the actual situation to decide whether to terminate the process to close certain ports. Click on the“Refresh”button can update the current port.

! Figure 1

From the look to the information I found a special place, is the IE browser's process actually used is the UDP Protocol, which means that this Trojan program can also use the UDP organized meeting. And under normal circumstances, whether it is Internet Explorer, Network Access, or our common Trojans in the data transmission, are using TCP Protocol.

Now I just need to find what the Trojan is using the UDP Protocol for data transmission, it can be judged what is the Trojan program in the haunting of. Through Internet search, found only one called high and mighty children of the domestic Trojan is using the UDP Protocol for data transmission(Figure 2)。

! Figure 2

Afterwards find out, the unwary son is the first UDP Trojan, this Trojan is known as“no process, no service, no DLLS is.” The Trojan is a system of services for the start-up mode, the user can customize the Trojans start the service name, the service side of the program name, installation directory, and on-line port, etc., to increase the discovery of this Trojan more difficult.

Third, according to the characteristics of removing Trojans

Due to the high and mighty children of the service end of the program is through the system service to start, so go through the Service Manager to check system for suspicious services.

In“My Computer”icon on the clicking the right mouse button to select the“Management”Command, then in the pop up“Computer Management”window, select“service”option Figure 3, and then in the These system services look for suspicious services. Sure enough from the check to a named SQx suspicious service, then record this start the name of the service, and referred to a program path:\Windows\system32\sapoolsv.exe the. In the“Start→Run”and enter CMD into the command prompt window, and input“sc delete sqe”in Figure 4, the service is deleted.



! Figure 3


Figure 4

Click on the Trojan auxiliary Finder in the“process monitoring”option, click“Auto Scan for suspicious program”button, the program will automatically to the current process for review, to determine whether the suspicious process, the results still did not detect a suspicious thread.

I had to choose to open the IE browser process, then it can be in the“DLL name”window to view the process under all the threads. 我 意外 地 从中 找到 一 个 可疑 的 线 程 soul.dll the. The termination of this fake IE browser process, and then the C:\Windows\system32 directory spoollsv. exe and soul. dll file deleted. Then restart the PC, again dial-up Internet access, the firewall does not pop up a connection request, Trojan Removal success.