Places where Viruses & Trojans Hides

readermaniax · 11-12-2005, 05:32 PM

1. START-UP FOLDER. Windows opens every item in the Start Menu's Start Up folder. This folder is prominent in the Programs folder of the Start Menu.

Notice that I did not say that Windows "runs" every program that is represented in the Start Up folder. I said it "opens every item." There's an important difference.

Programs represented in the Start Up folder will run, of course. But you can have shortcuts in the Start Up folder that represent documents, not programs.

For example, if you put a Microsoft Word document in the Start Up folder, Word will run and automatically open that document at bootup; if you put a WAV file there, your audio software will play the music at bootup, and if you put a Web-page Favourites there, Internet Explorer (or your own choice of a browser) will run and open that Web page for you when the computer starts up. (The examples cited here could just as easily be shortcuts to a WAV file or a Word document, and so on.)

2. REGISTRY. Windows executes all instructions in the "Run" section of the Windows Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above.

3. REGISTRY. Windows executes all instructions in the "RunServices" section of the Registry.

4. REGISTRY. Windows executes all instructions in the "RunOnce" part of the Registry.

5. REGISTRY. Windows executes instructions in the "RunServicesOnce" section of the Registry. (Windows uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.)

7. REGISTRY. Windows executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed.

Other possibles:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\ Open\Command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\ open\command] ="\"%1\"
%*"

If keys don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*" than they are automatically invoking the specified file.

8. BATCH FILE. Windows executes all instructions in the Winstart batch file, located in the Windows folder. (This file is unknown to nearly all Windows users and most Windows experts, and might not exist on your system. You can easily create it, however. Note that some versions of Windows call the Windows folder the "WinNT" folder.) The full filename is WINSTART.BAT.

9. INITIALIZATION FILE. Windows executes instructions in the "RUN=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

10. INITIALIZATION FILE. Windows executes instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or WinNT) folder.

It also runs things in shell= in System.ini or c:\windows\system.ini:

[boot]
shell=explorer.exe C:\windows\filename

The file name following explorer.exe will start whenever Windows starts.

As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory

11. RELAUNCHING. Windows reruns programs that were running when Windows shut down. Windows cannot do this with most non-Microsoft programs, but it will do it easily with Internet Explorer and with Windows Explorer, the file-and-folder manager built into Windows. If you have Internet Explorer open when you shut Windows down, Windows will reopen IE with the same page open when you boot up again. (If this does not happen on your Windows PC, someone has turned that feature off. Use Tweak UI, the free Microsoft Windows user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of Windows.)

12. TASK SCHEDULER. Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.

13. SECONDARY INSTRUCTIONS. Programs that Windows launches at startup are free to launch separate programs on their own. Technically, these are not programs that Windows launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run.

14. C:\EXPLORER.EXE METHOD.

C:\Explorer.exe

Windows loads explorer.exe (typically located in the Windows directory)during the boot process. However, if c:\explorer.exe exists, it will be executed instead of the Windows explorer.exe. If c:\explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot.

If c:\explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe

15. ADDITIONAL METHODS.

Additional autostart methods. The first two are used by Trojan SubSeven 2.2.

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\explorer\Usershell folders

Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\]
This key specifies that all applications will be executed if ICQNET Detects an Internet Connection.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object"
"NeverShowExt"=""
This key changes your file's specified extension.

vijay_7287 · 11-12-2005, 07:53 PM

does it apply to all the trojans and viruses !!!

readermaniax · 11-12-2005, 09:01 PM

most of them

praka123 · 11-12-2005, 09:23 PM

Edit [Nemesis]: Please watch your language on this forum.

vignesh · 11-12-2005, 09:49 PM

Nice opensource topic.Pls post in the right section to get proper answers

dIgItaL_BrAt · 11-12-2005, 09:51 PM

Taken from http://www.governmentsecurity.org/ar...eonstartup.php

@readermaniax:atleast post the source

Nemesis · 11-12-2005, 10:15 PM

Thread locked due to plagiarism. Besides, this is like the 3rd or 4th thread started by readermaniax that was posted in the Open source section. Moved here and locked.

11-12-2005, 05:32 PM	#1 (permalink)
readermaniax Alpha Geek Join Date: Jul 2005 Posts: 524	Places where Viruses & Trojans Hides 1. START-UP FOLDER. Windows opens every item in the Start Menu's Start Up folder. This folder is prominent in the Programs folder of the Start Menu. Notice that I did not say that Windows "runs" every program that is represented in the Start Up folder. I said it "opens every item." There's an important difference. Programs represented in the Start Up folder will run, of course. But you can have shortcuts in the Start Up folder that represent documents, not programs. For example, if you put a Microsoft Word document in the Start Up folder, Word will run and automatically open that document at bootup; if you put a WAV file there, your audio software will play the music at bootup, and if you put a Web-page Favourites there, Internet Explorer (or your own choice of a browser) will run and open that Web page for you when the computer starts up. (The examples cited here could just as easily be shortcuts to a WAV file or a Word document, and so on.) 2. REGISTRY. Windows executes all instructions in the "Run" section of the Windows Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above. 3. REGISTRY. Windows executes all instructions in the "RunServices" section of the Registry. 4. REGISTRY. Windows executes all instructions in the "RunOnce" part of the Registry. 5. REGISTRY. Windows executes instructions in the "RunServicesOnce" section of the Registry. (Windows uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.) 7. REGISTRY. Windows executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed. Other possibles: [HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %" [HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %" [HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %" [HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\ Open\Command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\ open\command] ="\"%1\" %" If keys don't have the "\"%1\" %" value as shown, and are changed to something like "\"somefilename.exe %1\" %" than they are automatically invoking the specified file. 8. BATCH FILE. Windows executes all instructions in the Winstart batch file, located in the Windows folder. (This file is unknown to nearly all Windows users and most Windows experts, and might not exist on your system. You can easily create it, however. Note that some versions of Windows call the Windows folder the "WinNT" folder.) The full filename is WINSTART.BAT. 9. INITIALIZATION FILE. Windows executes instructions in the "RUN=" line in the WIN.INI file, located in the Windows (or WinNT) folder. 10. INITIALIZATION FILE. Windows executes instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or WinNT) folder. It also runs things in shell= in System.ini or c:\windows\system.ini: [boot] shell=explorer.exe C:\windows\filename The file name following explorer.exe will start whenever Windows starts. As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \Windows directory 11. RELAUNCHING. Windows reruns programs that were running when Windows shut down. Windows cannot do this with most non-Microsoft programs, but it will do it easily with Internet Explorer and with Windows Explorer, the file-and-folder manager built into Windows. If you have Internet Explorer open when you shut Windows down, Windows will reopen IE with the same page open when you boot up again. (If this does not happen on your Windows PC, someone has turned that feature off. Use Tweak UI, the free Microsoft Windows user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of Windows.) 12. TASK SCHEDULER. Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed. 13. SECONDARY INSTRUCTIONS. Programs that Windows launches at startup are free to launch separate programs on their own. Technically, these are not programs that Windows launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run. 14. C:\EXPLORER.EXE METHOD. C:\Explorer.exe Windows loads explorer.exe (typically located in the Windows directory)during the boot process. However, if c:\explorer.exe exists, it will be executed instead of the Windows explorer.exe. If c:\explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot. If c:\explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe 15. ADDITIONAL METHODS. Additional autostart methods. The first two are used by Trojan SubSeven 2.2. HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entversion\explorer\Usershell folders Icq Inet [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\test] "Path"="test.exe" "Startup"="c:\\test" "Parameters"="" "Enable"="Yes" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\] This key specifies that all applications will be executed if ICQNET Detects an Internet Connection. [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object" "NeverShowExt"="" This key changes your file's specified extension. __________________ My Favourite Blogs - http://Mysticgadgets.com \| Gadget Weblog http://Mantosuperman.blogspot.com \| Styleing Tips, And Evrythign You Need Selling RS and vPP..

11-12-2005, 07:53 PM	#2 (permalink)
vijay_7287 SNIST Screamer !! Join Date: Aug 2005 Location: Hyderabad Posts: 1,162	does it apply to all the trojans and viruses !!! __________________ http://snistscreamers.blogspot.com/ http://insidevoidmain.blogspot.com/ SNIST-Blog: the Voice of SNIST... http://www.snistblog.com/

11-12-2005, 09:01 PM	#3 (permalink)
readermaniax Alpha Geek Join Date: Jul 2005 Posts: 524	most of them __________________ My Favourite Blogs - http://Mysticgadgets.com \| Gadget Weblog http://Mantosuperman.blogspot.com \| Styleing Tips, And Evrythign You Need Selling RS and vPP..

11-12-2005, 09:51 PM	#6 (permalink)
dIgItaL_BrAt Wise Old Owl Join Date: Jan 2005 Posts: 1,135	Taken from http://www.governmentsecurity.org/ar...eonstartup.php @readermaniax:atleast post the source __________________ A)bort, R)etry, I)nfluence with large hammer.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine

	Advertisements. Register and be a member of the community to get rid of them.
Advertisement

11-12-2005, 09:23 PM	#4 (permalink)
praka123 left this forum longback Join Date: Sep 2005 Location: - Posts: 7,513	Edit [Nemesis]: Please watch your language on this forum.

11-12-2005, 09:49 PM	#5 (permalink)
vignesh Wise Old Owl Join Date: Jul 2004 Location: Chennai Posts: 1,659	Nice opensource topic.Pls post in the right section to get proper answers

11-12-2005, 10:15 PM	#7 (permalink)
Nemesis Wise Old Owl Join Date: Jan 2004 Location: New York Posts: 1,634	Thread locked due to plagiarism. Besides, this is like the 3rd or 4th thread started by readermaniax that was posted in the Open source section. Moved here and locked.