Trojan Horse Removal Guide 

Trojan horse removal is important but let us first understand to prevent trojan entry. How to prevent a system from installation of a Trojan program is the major concern. It depends upon how the Trojan is installed on the target system. First, a Trojan makes it’s way onto the target system through various ways, such as an email attachment, via a floppy disk, or FTP download and spam.

Many times, the malicious network backdoor Trojan makes it way through an attachment as some harmless program, such as a game or music download. When the host program is executed, the Trojan installation takes place in the security context of the user, meaning that the program can only do those things that the user can do on the target computer system.

At a time of installation, the program attempts to write values to the Registry, and to copy a file or files to a directory. If the security settings of the user does not allow that user to add values to the Registry, or save a file to the directory, then it is very difficult for the Trojan to install properly, and difficult to run.

Ensure that the file system used is NTFS to protect your computer system from Trojan attack. Set the access control list (ACL) on particular directories and Registry keys, restricting the type of access users have to those resources. Which enables the auditing of failed write events to those resources, it will allow the system administrator to detect attempts to install a Trojan program.

Don't forget to set the ACLs on the C:WINNT and C:WINNTSYSTEM32 directories to prevent users from creating files in these directories. Give users Read access (RX)to the directories, and files within the directories. Also don't forget to remove the everyone group from access to these directories. Remember to remove the everyone group and all user groups from the "Bypass Traverse Checking" privilege via the User Manager.

Set the Access Control List (ACL) 

Also, set the ACLs on the following Registry keys to prevent users from changing and adding values to these keys:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESystemCurrentControlSetServices

The above list of Registry keys modified by Trojan programs is not a comprehensive list.

Finally, enable auditing on the above listed directories, and choose "Replace Auditing on Existing Files." At a minimum, audit failure events for users attempting to write to the directories. For the Registry keys, enable auditing and choose "Audit Permission on Existing Subkeys." At a minimum, audit failure events for Set Value and Create Subkey.

The key here is that if the user is unable to either add a value to a Registry key or add a file to a directory, the Trojan will not be installed properly.

Install a comprehensive anti-virus package, and keep it updated. Configure updates and make offline-scanning enable.

Run remote scans of the directories regularly, looking for specific filenames. The Trojans generally do not overwrite or append to critical system files and DLLs. Knowing the signature for various Trojans and looking for those files does provide a means of tracking them down.

Regularly perform scans of the Registry keys. Many Trojans leave a footprint in this key. Freeware or shareware tools can be used to scan for known signatures, or perform a baseline scan, and compare all subsequent scans to the baseline. Remember that only authorized software packages should be present in this key.

To make possible a Trojan program to be detected, removal of the program is generally executed by removing the entries from the Registry, rebooting the system, and removing the executable or DLL files.

Set appropriate policies according to configuration of your computer systems. Establish and implement an information security policy. Information security policies provide executive management’s overall guidance and vision for the corporate security program.

Important points to remember

 It is very important to ensure the information security policies and standards to establish a requirement for comprehensive backup and recovery procedures, and also the use of anti-virus software.

Be alert regarding relevant security issues. Establish audit and logging procedures, as well as guidelines for collecting and analyzing audit data from the organization. A periodic assessment procedure that first baselines systems, then provides for verification of compliance with established policies and standards.

Train users for awareness. Inform users to not execute suspicious attachments, especially those that arrive in email from unknown sources.

I hope these steps will not only protect you from current threats, but make you possible to detect and protect your system from future threats. These steps will help you for trojan horse removal.

Subscribe to "COMPTECH" ezine to get the latest news and updates on Computer Hardware, Software, Tips & Tutorials.

Enter your E-mail Address Enter your First Name (optional) Then Don't worry -- your e-mail address is totally secure. I promise to use it only to send you Mindpc.