Windows Tutorials - Herong's Tutorial Examples - Version 5.62, by Dr. Herong Yang
Winsock 2 LSP and Spyware Trojans
This section describes how the Winsock 2 LSP stack can be exploited by spyware trojans to relink existing or adding new LSP registry entries.
As you can see from the Winsock SPI and LSP design, Internet spyware and trojans can easily exploit the following areas:
1. Modifying Winsock 2 LSP stack settings to run trojan DLL files instead of Windows system files: rsvpsp.dll and mswsock.dll.
2. Adding extra entries in the Winsock 2 LSP stack to run trojan DLL files.
Once a spyware trojan DLL file gets installed into the Winsock 2 LSP stack through one of the above methods, it will quietly filtering all Internet communications going out of and coming into the system and:
The diagram shows how a spyware trojan DLL can be installed into the Winsock 2 LSP stack:
A simple way to detect spyware trojan infections in Winsock 2 LSP stack is to use the "netsh winsock show catalog" command as presented in the previous section. You need to inspect all DLL files reported by the command and find who is a trojan DLL.
Table of Contents