If your server is being troubled by ASP Trojans, then I hope this article can help you solve the problem you are facing.
The currently popular ASP Trojans mainly use three technologies to perform related operations on the server.
1. Use the FileSystemObject component
FileSystemObject to perform regular operations on files.
You can prevent the harm of such Trojans by modifying the registry and renaming this component.
HKEY_CLASSES_ROOTScripting.FileSystemObject
Change the name to another name, such as: FileSystemObject_ChangeName.
When you call it in the future, you can use this to call this component normally.
Also change the clsid value to
the value of the HKEY_CLASSES_ROOTScripting.FileSystemObjectCLSID project
, or delete it. To prevent the harm of such Trojans.
Unregister this component command: RegSrv32 /u C:WINNTSYSTEMscrrun.dll
Prohibits Guest users from using scrrun.dll to prevent calling this component.
Use the command: cacls C:WINNTsystem32scrrun.dll /e /d guests
2. Use the WScript.Shell component
WScript.Shell can call the system kernel to run basic DOS commands.
You can modify the registry and rename this component to prevent The dangers of such Trojans.
HKEY_CLASSES_ROOTWScript.Shell and HKEY_CLASSES_ROOTWScript.Shell.1
Change the name to another name, such as: WScript.Shell_ChangeName or WScript.Shell.1_ChangeName.
When you call it in the future, you can use this to call this component normally.
Also change the clsid value to
the HKEY_CLASSES_ROOTWScript.ShellCLSID project. The value of the HKEY_CLASSES_ROOTWScript.Shell.1CLSID project
can also be deleted to prevent the harm of such Trojans.
3. Using the Shell.Application component
Shell.Application can call the system kernel to run basic DOS commands.
You can modify the registry and rename this component to prevent the harm of such Trojans.
HKEY_CLASSES_ROOTShell.Application
and HKEY_CLASSES_ROOTShell.Application.1
Change the name to another name, such as: Shell.Application_ChangeName or Shell.Application.1_ChangeName.
You can use this to call this component normally when you call it in the future.
Also change the clsid value to
the HKEY_CLASSES_ROOTShell.ApplicationCLSID project. The value of the HKEY_CLASSES_ROOTShell.ApplicationCLSID project
can also be deleted to prevent the harm of such Trojans.
Disable Guest users from using shell32.dll to prevent this component from being called.
Use the command: cacls C:WINNTsystem32shell32.dll /e /d guests
Note: All operations require restarting the WEB service to take effect.
4. Call Cmd.exe
to disable Guests group users from calling cmd.exe
cacls C:WINNTsystem32Cmd.exe /e /d guests
can basically prevent several popular Trojans through the above four-step settings, but the most effective way is to use comprehensive security settings to ensure server and program security. Only when certain standards are reached can the security level be set higher to prevent more illegal intrusions.