Trojan FAQ contd. Part 2

[nsbuttar]

well as most of you asked to address some question to removing Trojans etc. i have come out with this continuation, here i have addressed 5 more questions. You can look at the whole document at http://navtejonline.gq.nu/articles/trojans.html or see the tread http://www.antionline.com/showthread...hreadid=243229
hey guys, help me to improve this FAQ ask any question if you feel is unaddressed here

----------------- FAQ Continues------------------------

What is the motive behind installing a Trojan?

The most prominant motive is to let your PC be controlled remotely, or install a backdoor in your box after a hacker has successfully entered it so that he has an ensured access to your box. It let a hacker to carry out his tasks from your IP, thus covering the hacker. Any reason you can think of, why would someone like to control your PC remotely, to see your private life or anything else, is the motive for installing a Trojan on your PC.


What is the difference between a Trojan and a virus?

Well, there is clear distinction between a virus and a Trojan. The distinction is, Replication. Replication is the first and the foremost requirement for a program to be categorized as virus. Even if a program is totally harmless but if it has the property to replicate itself, it is a Virus. But Trojans don't replicate, they basically let someone else control your box from someother computer without your knowledge.


Can a Trojan do harm to any Data on my PC?

By itself, usually no. Because the Trojans are usually not written with destructive payloads, but technically it not impossible to write such Trojans. So there are minimal chances that a Trojan by itself will so any harm to your data unless the hackers explicitly asks the Trojan to do it or a person has created a variation of the original Trojan to do so.


How Do I Know I Am Infected?

Under certain circumstances it may be very difficult. Though we have tools that claim to detect and remove Trojans including anti-viruses, but in reality these tools can only detect and remove only a fraction of existing Trojans. Secondly the source code some of the Trojans is free on net, ready to be compiled. This makes the scenario more worst. As this allows a lot of variations of the Trojan to be created with varied signatures. As most of anti-viruses and other tools rely on Signatures of malicious program, as stated by Anti-Trojan on this FAQ page http://www.anti-trojan.net/en/faq50001.aspx "Anti-Trojan works with a Trojan signature database. ", so the recompiled variations may go unnoticed. Then we have some softwares which are produced by reputed software companies called RAT tools, can be used in place of Trojans as i explained in What Are The Various Methods To Deliver Trojans?

But i won't ask you to abandon these tools wholly, because most of the newbies won't try to recompile these programs or do some tampering with the executable.

So what is the best way to know if you are infected. I would say port scan yourself if you find any suspicious ports open probably you have Trojan installed on your box. A comprehensive list of know ports used by common Trojans can be found here: A port list of common Trojans and a comprehensive list of Trojans can be found here http://www.anti-trojan.net/en/trojanlist.aspx


How I can get rid of Trojan If I am infected?

If you are infected with a Trojan, first of all run a good anti-virus like Norton,Macfee or AVG etc. and/or a Trojan cleaner tool, you may be lucky if it detects and remove the Trojan.

But if you are unlucky, then in Windows XP/2000/NT from task manager select process viewer tab and try to locate if any unusual file is running. In windows 98, you can use a tool called 'psview' or 'process viewer' it is a freeware which allows you to see processes are running, even those which don't show up in the 'end program' box also allows you to change the priority of any running process as well as let you see the open files, an indispensable tool for 98 users. Also get a tool which can tell you which application is listening on which port, this may give you the filename of the Trojan, kill the suspicious process and get rid of the file. Or try to locate which processes are started automatically from 'msconfig' or registry key ' HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', you may figure out Trojane executable file.

[lover4u]

hey thx nsbuttar for such good info

[tamariki]

Awesome information. A free process viewer can be obtained from
http://www.xmlsp.com/downloads-free.htm

[wizkiddaniel]

Cool stuff!
I'm in this hacking club called sinred. they have many Trojans and some tight links. they have jrojans for download and to protect you PC. Enjoy!
http://www.sinred.com
P.S. become a member... you can get more information
P.S.S. Need something, email me or something, i'll get it for you.

[noODle]

Trojan and rootkit prevention.

Any self respecting cracker will try to hide his traces.
Any self respecting cracker will try to keep access.

These two things are important to keep in mind when protecting any box.

First of all it is imporant to keep up to date with your system.
Don't open attachments from strangers.
Run a firewall and antivirus software.

That's nice.

Like mentioned in some other thread: 'Once you are compromised it is hard to detect'.

Some trojans will manipulate the kernel of your system directly. Therefore you won't be able to detect them.
It will for example try to hide an open connection from netstat or a process from taskmanager (ps).

To detect this kinda manipulation you should document your system on initial install (and every time you patch/install some thing) and preferably image it.
Create md5sums of the system files and keep them in a save place.
(update em on patching).

Now if you suspect you have been compromised a safe environment would come in handy.
You could use for example 'knoppix' to examine your system.

Check the md5sums of files you suspect. Replace forged ones with the original.

[ZomBieMann77]

I gotta say this to wizkiddaniel. I would realy not brag about being in a hackig club on this site. Or advertise for their wesite where u can download trojans. The whole point of antionlie is agaist that kinda thing. Or at least put some kind of disclaimer like "If you want to see how they work on your own machine" or somehing to that effect. Im not trying to flame you or anything like that. Since this is only your second post let me give a little advice. Read around a little in theese forums before you start posting. Ive seen alot of people get alot of Neg's for posts like yours. I would realy encourage you to stay and read and hopefully learn.

Oh by the way nsButtar..... good job. looks like you realy put some time in this one.