Places that viruses and trojans hide on start up

Networking/Security Forums -> Viruses // Worms

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Wed Feb 26, 2003 1:34 pm    Post subject: Places that viruses and trojans hide on start up
    ----
1. START-UP FOLDER. This applies to all versions of Windows, Windows9x has a global startup folder and WinXP/2K has a per user and all users startup folder.

c:\Documents and Settings\All Users\Start Menu\Programs\Startup

And

c:\Documents and Settings\username\Start Menu\Programs\Startup

Windows opens every item in the Startup folder on startup/login, this folder is easy to find and you can just 'right click and delete' to remove items from it.

Note the above says 'open' not 'run' this means if there is a .txt file, notepad will open, if there is a .wav file the default program for handling .wav files will open and so on. Shortcuts are usually put in the startup folder but entire programs/documents/files can be put there.

STARTUP ORDER FOR WINDOWS NT4/2000/XP

User enters a password and logon to the system

2. REGISTRY. Windows executes all instructions in the "Run" section of the Windows Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above.

All Run Keys:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunEx]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunEx]

3. REGISTRY. Windows executes all instructions in the "RunServices" section of the Registry.

Computer Management -> Services - items set to "Automatic"

4. REGISTRY. Windows executes all instructions in the "RunOnce" part of the Registry.

5. REGISTRY. Windows executes instructions in the "RunServicesOnce" section of the Registry. (Windows uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.)

7. REGISTRY. Windows executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed.

Other possibles:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\"
%*"

If keys don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*" than they are automatically invoking the specified file.

8. BATCH FILE. Windows executes all instructions in the Winstart batch file, located in the Windows folder. (This file is unknown to nearly all Windows users and most Windows experts, and might not exist on your system. You can easily create it, however. Note that some versions of Windows call the Windows folder the "WinNT" folder.) The full filename is WINSTART.BAT.

9. INITIALIZATION FILE. Windows executes instructions in the "RUN=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

10. INITIALIZATION FILE. Windows executes instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

It also runs things in shell= in System.ini or c:\windows\system.ini:

[boot]
shell=explorer.exe C:\windows\filename

The file name following explorer.exe will start whenever Windows starts.

As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory


11. RELAUNCHING. Windows reruns programs that were running when Windows shut down. Windows cannot do this with most non-Microsoft programs, but it will do it easily with Internet Explorer and with Windows Explorer, the file-and-folder manager built into Windows. If you have Internet Explorer open when you shut Windows down, Windows will reopen IE with the same page open when you boot up again. (If this does not happen on your Windows PC, someone has turned that feature off. Use Tweak UI, the free Microsoft Windows user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of Windows.)

12. TASK SCHEDULER. Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.

13. SECONDARY INSTRUCTIONS. Programs that Windows launches at startup are free to launch separate programs on their own. Technically, these are not programs that Windows launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run.

14. C:\EXPLORER.EXE METHOD.

C:\Explorer.exe

Windows loads explorer.exe (typically located in the Windows directory)during the boot process. However, if c:\explorer.exe exists, it will be executed instead of the Windows explorer.exe. If c:\explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot.

If c:\explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe

15. ADDITIONAL METHODS.

Additional autostart methods. The first two are used by Trojan SubSeven 2.2.

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell folders

Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
This key specifies that all applications will be executed if ICQNET Detects an Internet Connection.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object"
"NeverShowExt"=""
This key changes your file's specified extension.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute]

This is the first thing that is run.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\UserInit]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell]

------------------------

If you find anything strange in any of these locations check for startup files here:

http://www.pacs-portal.co.uk/startup_pages/startup_all.php


Last edited by ShaolinTiger on Wed Nov 05, 2003 8:38 pm; edited 2 times in total

Author: GSecur PostPosted: Wed Feb 26, 2003 4:26 pm    Post subject:
    ----
This is some great info Shaolin, I sent you a PM.

Author: r3L4x PostPosted: Sun Apr 06, 2003 3:20 am    Post subject:
    ----
wow. i have never seen so much info on start up methods! All you need to do is get hackereliminator to watch those reg keys and you are inpenitrable!

Author: ParagonLocation: Away PostPosted: Mon Apr 07, 2003 5:27 am    Post subject:
    ----
r3L4x wrote:
wow. i have never seen so much info on start up methods!
And that's not all of them.
Quote:
All you need to do is get hackereliminator to watch those reg keys and you are inpenitrable!
That's a joke right?

Author: Dark-AvengerLocation: France PostPosted: Mon Apr 21, 2003 8:45 pm    Post subject:
    ----
To hide app. on Taskmanager under Win XP, you must add "-b" after
the path.

Ex: if you want to hide 'c:\test.exe' on startup under Win XP, wrote in
---- the run key in the registry 'c:\test.exe -b'. That's all !

Easy isn't it ? ;-p)

Author: Leroy PostPosted: Fri Oct 17, 2003 8:54 am    Post subject:
    ----
Here is an example of some disruption through startup processes:

"When it installed itself it corrupted a little used system file (spoolsv.exe) and put in a whole lot of registry data.

It created two separate startup procedures:

1. this ran a program ( i never found it, i simply disabled it as a startup process. I think it no longer exists because i cant find it...) which extratced the registry data into a file called *something*.reg, and then closed itself

2. this added the registry data from that file into the registry(ran regedit with the file name as a parameter i think), and changed all my internet settings to show a certain page as my search page, my home page, and all this other crap. it then closed itself too."

so there is one type to watch out for.

with 98 you have a file called msconfig, which makes it easy to turn on and off those startup processes. I rave about this file a lot, but it is the only cool feature windows 98 has =) i d/l it for my win2k

Author: dp PostPosted: Tue Dec 30, 2003 7:06 pm    Post subject:
    ----
A good little application to run is StartupMonitor. http://www.mlin.net/StartupMonitor.shtml
You never know its running (no tray icon) until something tries to register itself to run at startup, then it opens up and alerts you to whatever that is trying to load. You either allow or disallow. Obviously, if you don't know what it is you don't permit until you determine what it is. StartupMonitor is one of those 'must have' programs.

Author: Kelab PostPosted: Tue Dec 30, 2003 10:12 pm    Post subject:
    ----
unfortunately from my point of view you can't prevent any application from autostartup :(

another way is to write the Trojan to act as virus :( this is not impossible :(
for example you can do nothing if your internet explorer is infect with a Trojan virus !!

Author: dp PostPosted: Tue Dec 30, 2003 11:44 pm    Post subject:
    ----
Kelab wrote:
unfortunately from my point of view you can't prevent any application from autostartup Sad
Give StartupMonitor a spin and see how it works for you. Install it and try to install some malware that will load from the registry or some test trojans and see how it interacts when the applications try and register themselves to run at boot.

Author: Kelab PostPosted: Wed Dec 31, 2003 12:50 am    Post subject:
    ----
dp wrote:
Give StartupMonitor a spin and see how it works for you. Install it and try to install some malware that will load from the registry or some test trojans and see how it interacts when the applications try and register themselves to run at boot.


you didn't understand me ..

i am saying the Trojan is going to bind itself to internet explorer for example .. and start once the user click IE.

actually this is not a virtual situation. because i managed to code such Trojan Virus before and it fooled ZoneAlarm & Norton antivirus :(
it even didn't open a port to listen on it, instead it connect to you.

btw, i coded this Trojan virus for testing purpose only and never published it to public. ( i tested it with my freinds and it worked fine )

my point is you can't grantee 100% you are save by monitor startup methods and listening ports.

Author: Ipsec Espah PostPosted: Wed Dec 31, 2003 3:26 am    Post subject:
    ----
Thats pretty sneaky, i never thought about that way to get a trojan to run. How common is that?

Author: samanLocation: ~root PostPosted: Wed Dec 31, 2003 1:18 pm    Post subject:
    ----
Ipsec Espah wrote:
Thats pretty sneaky, i never thought about that way to get a trojan to run. How common is that?


This is very comon, nearly all trojans have a way of inserting themsleves in to the startup, although some like Sub7 try to bind themselves to explorer.exe or similar files.

Author: ChrisM PostPosted: Fri Apr 23, 2004 6:28 am    Post subject:
    ----
Your never totally secure and safe.

Author: f2kyzz PostPosted: Wed May 05, 2004 6:27 am    Post subject: Re: Places that viruses and trojans hide on start up
    ----
Why don't you honestly advise your users about Windows, Services and Installing a firewall first before you breathe ahead with this warning? At least a firewall will prevent a few problems for starters.

doesitmatter

Author: BogLocation: Toronto, Ontario Canada PostPosted: Thu Sep 02, 2004 1:36 am    Post subject:
    ----
Can someone elaborate on what "binding" to explorer.exe or iexplore.exe?

Very extensive list of locations to autostart. Next it would be nice to enable Windows auditing of these locations to generate an event a change is done.

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Thu Sep 02, 2004 3:29 am    Post subject:
    ----
If I can add just one tidbit of info to your fantastic post, pac's-portal is a bit out of date, and I'm not sure if it is even being maintained any more. Confused

Try this one at CC, as additions are being made almost daily. Very Happy
http://computercops.biz/StartupList.html

Author: nET^ViRuS PostPosted: Thu Jul 20, 2006 1:09 pm    Post subject:
    ----
thank u


great topic

Author: SifuMikeLocation: Vancouver (not BC) WA (not DC) PostPosted: Sat Jan 29, 2011 1:52 am    Post subject:
    ----
You need to put the source of information (link) and put your information in quotes since it is not yours.

Author: RoninV PostPosted: Sat Mar 26, 2011 12:49 pm    Post subject:
    ----
@ShaolinTiger

I take it today's anti-xenomorph apps (SUPERAntispyware, Malwarebytes, GMER, etc.) comb these crevices during their scans?



Networking/Security Forums -> Viruses // Worms


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group