The currently popular ASP Trojans mainly use three technologies to perform related operations on the server.
1. Use the FileSystemObject component
FileSystemObject can perform regular operations on files
You can prevent the harm of such Trojans by modifying the registry and renaming this component.
HKEY_CLASSES_ROOTScripting.FileSystemObject
Change the name to another name, such as: FileSystemObject_ChangeName
You can use this to call this component normally when you call it in the future.
Also change the clsid value
HKEY_CLASSES_ROOTScripting.FileSystemObjectCLSIDProject value
You can also delete it to prevent the harm of such Trojans.
Unregister this component command: RegSrv32 /u C:WINNTSYSTEMscrrun.dll
Disable Guest users from using scrrun.dll to prevent this component from being called.
Use the command: cacls C:WINNTsystem32scrrun.dll /e /d guests
2. Use WScript.Shell component
WScript.Shell can call the system kernel to run basic DOS commands
You can prevent the harm of such Trojans by modifying the registry and renaming this component.
HKEY_CLASSES_ROOTWScript.Shell
and
HKEY_CLASSES_ROOTWScript.Shell.1
Change the name to another name, such as: WScript.Shell_ChangeName or WScript.Shell.1_ChangeName
You can use this to call this component normally when you call it in the future.
Also change the clsid value
HKEY_CLASSES_ROOTWScript.ShellCLSIDProject value
HKEY_CLASSES_ROOTWScript.Shell.1CLSIDvalue of the project
You can also delete it to prevent the harm of such Trojans.
3. Use Shell.Application component
Shell.Application can call the system kernel to run basic DOS commands
You can prevent the harm of such Trojans by modifying the registry and renaming this component.
HKEY_CLASSES_ROOTShell.Application
and
HKEY_CLASSES_ROOTShell.Application.1
Change the name to another name, such as: Shell.Application_ChangeName or Shell.Application.1_ChangeName
You can use this to call this component normally when you call it in the future.
Also change the clsid value
HKEY_CLASSES_ROOTShell.ApplicationCLSIDProject value
HKEY_CLASSES_ROOTShell.ApplicationCLSIDProject value
You can also delete it to prevent the harm of such Trojans.
Disable Guest users from using shell32.dll to prevent this component from being called.
Use the command: cacls C:WINNTsystem32shell32.dll /e /d guests
Note: All operations require restarting the WEB service to take effect.
4. Call Cmd.exe
Disable Guests group users from calling cmd.exe
cacls C:WINNTsystem32Cmd.exe /e /d guests
The above four-step settings can basically prevent several currently popular Trojans, but the most effective way is to use comprehensive security settings to make the server and program security reach a certain standard. Only then can the security level be set higher to prevent more Trespass.