• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Places that viruses and trojans hide on start up

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Wed Feb 26, 2003 1:34 pm    Post subject: Places that viruses and trojans hide on start up Reply with quote

1. START-UP FOLDER. This applies to all versions of Windows, Windows9x has a global startup folder and WinXP/2K has a per user and all users startup folder.

c:\Documents and Settings\All Users\Start Menu\Programs\Startup

And

c:\Documents and Settings\username\Start Menu\Programs\Startup

Windows opens every item in the Startup folder on startup/login, this folder is easy to find and you can just 'right click and delete' to remove items from it.

Note the above says 'open' not 'run' this means if there is a .txt file, notepad will open, if there is a .wav file the default program for handling .wav files will open and so on. Shortcuts are usually put in the startup folder but entire programs/documents/files can be put there.

STARTUP ORDER FOR WINDOWS NT4/2000/XP

User enters a password and logon to the system

2. REGISTRY. Windows executes all instructions in the "Run" section of the Windows Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above.

All Run Keys:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunEx]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunEx]

3. REGISTRY. Windows executes all instructions in the "RunServices" section of the Registry.

Computer Management -> Services - items set to "Automatic"

4. REGISTRY. Windows executes all instructions in the "RunOnce" part of the Registry.

5. REGISTRY. Windows executes instructions in the "RunServicesOnce" section of the Registry. (Windows uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.)

7. REGISTRY. Windows executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed.

Other possibles:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\"
%*"

If keys don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*" than they are automatically invoking the specified file.

8. BATCH FILE. Windows executes all instructions in the Winstart batch file, located in the Windows folder. (This file is unknown to nearly all Windows users and most Windows experts, and might not exist on your system. You can easily create it, however. Note that some versions of Windows call the Windows folder the "WinNT" folder.) The full filename is WINSTART.BAT.

9. INITIALIZATION FILE. Windows executes instructions in the "RUN=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

10. INITIALIZATION FILE. Windows executes instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

It also runs things in shell= in System.ini or c:\windows\system.ini:

[boot]
shell=explorer.exe C:\windows\filename

The file name following explorer.exe will start whenever Windows starts.

As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory


11. RELAUNCHING. Windows reruns programs that were running when Windows shut down. Windows cannot do this with most non-Microsoft programs, but it will do it easily with Internet Explorer and with Windows Explorer, the file-and-folder manager built into Windows. If you have Internet Explorer open when you shut Windows down, Windows will reopen IE with the same page open when you boot up again. (If this does not happen on your Windows PC, someone has turned that feature off. Use Tweak UI, the free Microsoft Windows user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of Windows.)

12. TASK SCHEDULER. Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.

13. SECONDARY INSTRUCTIONS. Programs that Windows launches at startup are free to launch separate programs on their own. Technically, these are not programs that Windows launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run.

14. C:\EXPLORER.EXE METHOD.

C:\Explorer.exe

Windows loads explorer.exe (typically located in the Windows directory)during the boot process. However, if c:\explorer.exe exists, it will be executed instead of the Windows explorer.exe. If c:\explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot.

If c:\explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe

15. ADDITIONAL METHODS.

Additional autostart methods. The first two are used by Trojan SubSeven 2.2.

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell folders

Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
This key specifies that all applications will be executed if ICQNET Detects an Internet Connection.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object"
"NeverShowExt"=""
This key changes your file's specified extension.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute]

This is the first thing that is run.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\UserInit]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]

------------------------

If you find anything strange in any of these locations check for startup files here:

http://www.pacs-portal.co.uk/startup_pages/startup_all.php


Last edited by ShaolinTiger on Wed Nov 05, 2003 8:38 pm; edited 2 times in total
Back to top
View user's profile Send private message Visit poster's website
GSecur
Trusted SF Member
Trusted SF Member


Joined: 30 Sep 2002
Posts: 16777215


Offline

PostPosted: Wed Feb 26, 2003 4:26 pm    Post subject: Reply with quote

This is some great info Shaolin, I sent you a PM.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
r3L4x
Just Arrived
Just Arrived


Joined: 06 Apr 2003
Posts: 0


Offline

PostPosted: Sun Apr 06, 2003 3:20 am    Post subject: Reply with quote

wow. i have never seen so much info on start up methods! All you need to do is get hackereliminator to watch those reg keys and you are inpenitrable!
Back to top
View user's profile Send private message
Paragon
Trusted SF Member
Trusted SF Member


Joined: 26 Feb 2003
Posts: 0
Location: Away

Offline

PostPosted: Mon Apr 07, 2003 5:27 am    Post subject: Reply with quote

r3L4x wrote:
wow. i have never seen so much info on start up methods!
And that's not all of them.
Quote:
All you need to do is get hackereliminator to watch those reg keys and you are inpenitrable!
That's a joke right?
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
Dark-Avenger
Just Arrived
Just Arrived


Joined: 21 Apr 2003
Posts: 0
Location: France

Offline

PostPosted: Mon Apr 21, 2003 8:45 pm    Post subject: Reply with quote

To hide app. on Taskmanager under Win XP, you must add "-b" after
the path.

Ex: if you want to hide 'c:\test.exe' on startup under Win XP, wrote in
---- the run key in the registry 'c:\test.exe -b'. That's all !

Easy isn't it ? ;-p)
Back to top
View user's profile Send private message
Leroy
Just Arrived
Just Arrived


Joined: 15 Oct 2003
Posts: 0


Offline

PostPosted: Fri Oct 17, 2003 8:54 am    Post subject: Reply with quote

Here is an example of some disruption through startup processes:

"When it installed itself it corrupted a little used system file (spoolsv.exe) and put in a whole lot of registry data.

It created two separate startup procedures:

1. this ran a program ( i never found it, i simply disabled it as a startup process. I think it no longer exists because i cant find it...) which extratced the registry data into a file called *something*.reg, and then closed itself

2. this added the registry data from that file into the registry(ran regedit with the file name as a parameter i think), and changed all my internet settings to show a certain page as my search page, my home page, and all this other crap. it then closed itself too."

so there is one type to watch out for.

with 98 you have a file called msconfig, which makes it easy to turn on and off those startup processes. I rave about this file a lot, but it is the only cool feature windows 98 has =) i d/l it for my win2k
Back to top
View user's profile Send private message
dp
Just Arrived
Just Arrived


Joined: 28 Dec 2003
Posts: 0


Offline

PostPosted: Tue Dec 30, 2003 7:06 pm    Post subject: Reply with quote

A good little application to run is StartupMonitor. http://www.mlin.net/StartupMonitor.shtml
You never know its running (no tray icon) until something tries to register itself to run at startup, then it opens up and alerts you to whatever that is trying to load. You either allow or disallow. Obviously, if you don't know what it is you don't permit until you determine what it is. StartupMonitor is one of those 'must have' programs.
Back to top
View user's profile Send private message
Kelab
Just Arrived
Just Arrived


Joined: 26 Sep 2003
Posts: 0


Offline

PostPosted: Tue Dec 30, 2003 10:12 pm    Post subject: Reply with quote

unfortunately from my point of view you can't prevent any application from autostartup :(

another way is to write the Trojan to act as virus :( this is not impossible :(
for example you can do nothing if your internet explorer is infect with a Trojan virus !!
Back to top
View user's profile Send private message
dp
Just Arrived
Just Arrived


Joined: 28 Dec 2003
Posts: 0


Offline

PostPosted: Tue Dec 30, 2003 11:44 pm    Post subject: Reply with quote

Kelab wrote:
unfortunately from my point of view you can't prevent any application from autostartup Sad
Give StartupMonitor a spin and see how it works for you. Install it and try to install some malware that will load from the registry or some test trojans and see how it interacts when the applications try and register themselves to run at boot.
Back to top
View user's profile Send private message
Kelab
Just Arrived
Just Arrived


Joined: 26 Sep 2003
Posts: 0


Offline

PostPosted: Wed Dec 31, 2003 12:50 am    Post subject: Reply with quote

dp wrote:
Give StartupMonitor a spin and see how it works for you. Install it and try to install some malware that will load from the registry or some test trojans and see how it interacts when the applications try and register themselves to run at boot.


you didn't understand me ..

i am saying the Trojan is going to bind itself to internet explorer for example .. and start once the user click IE.

actually this is not a virtual situation. because i managed to code such Trojan Virus before and it fooled ZoneAlarm & Norton antivirus :(
it even didn't open a port to listen on it, instead it connect to you.

btw, i coded this Trojan virus for testing purpose only and never published it to public. ( i tested it with my freinds and it worked fine )

my point is you can't grantee 100% you are save by monitor startup methods and listening ports.
Back to top
View user's profile Send private message
Ipsec Espah
Just Arrived
Just Arrived


Joined: 16 Mar 2003
Posts: 4


Offline

PostPosted: Wed Dec 31, 2003 3:26 am    Post subject: Reply with quote

Thats pretty sneaky, i never thought about that way to get a trojan to run. How common is that?
Back to top
View user's profile Send private message
saman
Just Arrived
Just Arrived


Joined: 09 Jul 2003
Posts: 0
Location: ~root

Offline

PostPosted: Wed Dec 31, 2003 1:18 pm    Post subject: Reply with quote

Ipsec Espah wrote:
Thats pretty sneaky, i never thought about that way to get a trojan to run. How common is that?


This is very comon, nearly all trojans have a way of inserting themsleves in to the startup, although some like Sub7 try to bind themselves to explorer.exe or similar files.
Back to top
View user's profile Send private message Visit poster's website
ChrisM
Just Arrived
Just Arrived


Joined: 13 Apr 2004
Posts: 0


Offline

PostPosted: Fri Apr 23, 2004 6:28 am    Post subject: Reply with quote

Your never totally secure and safe.
Back to top
View user's profile Send private message Send e-mail
f2kyzz
Just Arrived
Just Arrived


Joined: 05 May 2004
Posts: 0


Offline

PostPosted: Wed May 05, 2004 6:27 am    Post subject: Re: Places that viruses and trojans hide on start up Reply with quote

Why don't you honestly advise your users about Windows, Services and Installing a firewall first before you breathe ahead with this warning? At least a firewall will prevent a few problems for starters.

doesitmatter
Back to top
View user's profile Send private message
Bog
Just Arrived
Just Arrived


Joined: 23 Aug 2003
Posts: 2
Location: Toronto, Ontario Canada

Offline

PostPosted: Thu Sep 02, 2004 1:36 am    Post subject: Reply with quote

Can someone elaborate on what "binding" to explorer.exe or iexplore.exe?

Very extensive list of locations to autostart. Next it would be nice to enable Windows auditing of these locations to generate an event a change is done.
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Thu Sep 02, 2004 3:29 am    Post subject: Reply with quote

If I can add just one tidbit of info to your fantastic post, pac's-portal is a bit out of date, and I'm not sure if it is even being maintained any more. Confused

Try this one at CC, as additions are being made almost daily. Very Happy
http://computercops.biz/StartupList.html
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register