If your server is plagued by ASP Trojan, so hope this article help you solve your problems.
ASP now popular horse in three main technologies for the server to delete.
First, use the FileSystemObject component
FileSystemObject can operate on regular files, you can modify the registry, the component was renamed, to prevent the danger of such Trojans.
To HKEY_CLASSES_ROOT / Scripting.FileSystemObject / changed its name to other names, such as: to FileSystemObject_ChangeName. After the time of his call to use this you can call this component of the normal.
Clsid value will also have to change it, HKEY_CLASSES_ROOT / Scripting.FileSystemObject / CLSID / value items can be deleted to prevent the danger of such Trojans.
Cancellation of this component command:
RegSvr32 / u C: / WINNT/SYSTEM32/scrrun.dll
Prohibited to prevent Guest users scrrun.dll call this component.
Use the command:
cacls C: / WINNT/system32/scrrun.dll / e / d guests
Second, the use WScript.Shell component
WScript.Shell run the DOS system kernel can be called the basic commands, you can modify the registry, the component was renamed, to prevent the danger of such Trojans.
HKEY_CLASSES_ROOT / WScript.Shell / and HKEY_CLASSES_ROOT/WScript.Shell.1 / renamed to other names, such as: to WScript.Shell_ChangeName or WScript.Shell.1_ChangeName. After the time of his call to use this component you can call this normal, and should be clsid value is also changing my schedule.
HKEY_CLASSES_ROOT / WScript.Shell / CLSID / project value
HKEY_CLASSES_ROOT/WScript.Shell.1/CLSID / project value
Can be deleted to prevent the danger of such Trojans.
Third, the use Shell.Application components
Shell.Application can call the kernel to run basic DOS commands, you can modify the registry, the component was renamed, to prevent the danger of such Trojans.
HKEY_CLASSES_ROOT / Shell.Application /
And HKEY_CLASSES_ROOT/Shell.Application.1 /
Changed its name to other names, such as: to Shell.Application_ChangeName or Shell.Application.1_ChangeName. After the time of his call to use this component you can call this normal, and should be clsid value is also altered:
HKEY_CLASSES_ROOT / Shell.Application / CLSID / project value
HKEY_CLASSES_ROOT / Shell.Application / CLSID / project value
Can be deleted to prevent the danger of such Trojans.
Prohibition to prevent the Guest user to use shell32.dll call this component.
Use the command:
cacls C: / WINNT/system32/shell32.dll / e / d guests
Note: The operations are needed to restart the WEB service to take effect.
4, call Cmd.exe
Disabled Guests group of users called cmd.exe,
cacls C: / WINNT/system32/Cmd.exe / e / d guests
Through the above four-step basic setup can prevent several popular current Trojans, but the most effective solution is through an integrated security settings, the server, application security has reached a certain standard, it may set a higher security level will prevent more unlawful invasion.