Places Where Viruses And Trojans Hide

**kingaff** · 23-Feb-2007, 06:30 AM

Places where viruses and trojans hide

Places where viruses and trojans hide

1. START-UP FOLDER. W*NDOW$ opens every item in the Start Menu's Start Up folder. This folder is prominent in the Programs folder of the Start Menu.

Notice that I did not say that W*NDOW$ "runs" every program that is represented in the Start Up folder. I said it "opens every item." There's an important difference.

Programs represented in the Start Up folder will run, of course. But you can have shortcuts in the Start Up folder that represent documents, not programs.

For example, if you put a M*CRO$OFT Word document in the Start Up folder, Word will run and automatically open that document at bootup; if you put a WAV file there, your audio software will play the music at bootup, and if you put a Web-page Favourites there, Internet Explorer (or your own choice of a browser) will run and open that Web page for you when the computer starts up. (The examples cited here could just as easily be shortcuts to a WAV file or a Word document, and so on.)

2. REGISTRY. W*NDOW$ executes all instructions in the "Run" section of the W*NDOW$ Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above.

3. REGISTRY. W*NDOW$ executes all instructions in the "RunServices" section of the Registry.

4. REGISTRY. W*NDOW$ executes all instructions in the "RunOnce" part of the Registry.

5. REGISTRY. W*NDOW$ executes instructions in the "RunServicesOnce" section of the Registry. (W*NDOW$ uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.)

7. REGISTRY. W*NDOW$ executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed.

Other possibles:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\ Open\Command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\ open\command] ="\"%1\"
%*"

If keys don't have the "\"%1\" %*" value as shown, and are changed to something like "\"somefilename.exe %1\" %*" than they are automatically invoking the specified file.

8. BATCH FILE. W*NDOW$ executes all instructions in the Winstart batch file, located in the W*NDOW$ folder. (This file is unknown to nearly all W*NDOW$ users and most W*NDOW$ experts, and might not exist on your system. You can easily create it, however. Note that some versions of W*NDOW$ call the W*NDOW$ folder the "WinNT" folder.) The full filename is WINSTART.BAT.

9. INITIALIZATION FILE. W*NDOW$ executes instructions in the "RUN=" line in the WIN.INI file, located in the W*NDOW$ (or WinNT) folder.

10. INITIALIZATION FILE. W*NDOW$ executes instructions in the "LOAD=" line in the WIN.INI file, located in the W*NDOW$ (or WinNT) folder.

It also runs things in shell= in System.ini or c:\W*NDOW$\system.ini:

[boot]
shell=explorer.exe C:\W*NDOW$\filename

The file name following explorer.exe will start whenever W*NDOW$ starts.

As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \W*NDOW$ directory

11. RELAUNCHING. W*NDOW$ reruns programs that were running when W*NDOW$ shut down. W*NDOW$ cannot do this with most non-M*CRO$OFT programs, but it will do it easily with Internet Explorer and with W*NDOW$ Explorer, the file-and-folder manager built into W*NDOW$. If you have Internet Explorer open when you shut W*NDOW$ down, W*NDOW$ will reopen IE with the same page open when you boot up again. (If this does not happen on your W*NDOW$ PC, someone has turned that feature off. Use Tweak UI, the free M*CRO$OFT W*NDOW$ user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of W*NDOW$.)

12. TASK SCHEDULER. W*NDOW$ executes autorun instructions in the W*NDOW$ Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all W*NDOW$ versions except the first version of W*NDOW$ 95, but is included in W*NDOW$ 95 if the M*CRO$OFT Plus Pack was installed.

13. SECONDARY INSTRUCTIONS. Programs that W*NDOW$ launches at startup are free to launch separate programs on their own. Technically, these are not programs that W*NDOW$ launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run.

14. C:\EXPLORER.EXE METHOD.

C:\Explorer.exe

W*NDOW$ loads explorer.exe (typically located in the W*NDOW$ directory)during the boot process. However, if c:\explorer.exe exists, it will be executed instead of the W*NDOW$ explorer.exe. If c:\explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot.

If c:\explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe

15. ADDITIONAL METHODS.

Additional autostart methods. The first two are used by Trojan SubSeven 2.2.

HKEY_LOCAL_MACHINE\Software\M*CRO$OFT\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\M*CRO$OFT\W*NDOW$\Curr entversion\explorer\Usershell folders

Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\]
This key specifies that all applications will be executed if ICQNET Detects an Internet Connection.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object"
"NeverShowExt"=""
This key changes your file's specified extension.
:54a:

23-Feb-2007, 06:30 AM	#1 (permalink)
kingaff Fixed Error! Posts: 330 Join Date: Feb 2007 Rep Power: 2 IM:	Places Where Viruses And Trojans Hide Places where viruses and trojans hide Places where viruses and trojans hide 1. START-UP FOLDER. WNDOW$ opens every item in the Start Menu's Start Up folder. This folder is prominent in the Programs folder of the Start Menu. Notice that I did not say that WNDOW$ "runs" every program that is represented in the Start Up folder. I said it "opens every item." There's an important difference. Programs represented in the Start Up folder will run, of course. But you can have shortcuts in the Start Up folder that represent documents, not programs. For example, if you put a MCRO$OFT Word document in the Start Up folder, Word will run and automatically open that document at bootup; if you put a WAV file there, your audio software will play the music at bootup, and if you put a Web-page Favourites there, Internet Explorer (or your own choice of a browser) will run and open that Web page for you when the computer starts up. (The examples cited here could just as easily be shortcuts to a WAV file or a Word document, and so on.) 2. REGISTRY. WNDOW$ executes all instructions in the "Run" section of the WNDOW$ Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above. 3. REGISTRY. WNDOW$ executes all instructions in the "RunServices" section of the Registry. 4. REGISTRY. WNDOW$ executes all instructions in the "RunOnce" part of the Registry. 5. REGISTRY. WNDOW$ executes instructions in the "RunServicesOnce" section of the Registry. (WNDOW$ uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.) 7. REGISTRY. WNDOW$ executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed. Other possibles: [HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %" [HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %" [HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %" [HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\ open\command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\ open\command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\ Open\Command] ="\"%1\" %" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\ open\command] ="\"%1\" %" If keys don't have the "\"%1\" %" value as shown, and are changed to something like "\"somefilename.exe %1\" %" than they are automatically invoking the specified file. 8. BATCH FILE. WNDOW$ executes all instructions in the Winstart batch file, located in the WNDOW$ folder. (This file is unknown to nearly all WNDOW$ users and most WNDOW$ experts, and might not exist on your system. You can easily create it, however. Note that some versions of WNDOW$ call the WNDOW$ folder the "WinNT" folder.) The full filename is WINSTART.BAT. 9. INITIALIZATION FILE. WNDOW$ executes instructions in the "RUN=" line in the WIN.INI file, located in the WNDOW$ (or WinNT) folder. 10. INITIALIZATION FILE. WNDOW$ executes instructions in the "LOAD=" line in the WIN.INI file, located in the WNDOW$ (or WinNT) folder. It also runs things in shell= in System.ini or c:\WNDOW$\system.ini: [boot] shell=explorer.exe C:\WNDOW$\filename The file name following explorer.exe will start whenever WNDOW$ starts. As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the \WNDOW$ directory 11. RELAUNCHING. WNDOW$ reruns programs that were running when WNDOW$ shut down. WNDOW$ cannot do this with most non-MCRO$OFT programs, but it will do it easily with Internet Explorer and with WNDOW$ Explorer, the file-and-folder manager built into WNDOW$. If you have Internet Explorer open when you shut WNDOW$ down, WNDOW$ will reopen IE with the same page open when you boot up again. (If this does not happen on your WNDOW$ PC, someone has turned that feature off. Use Tweak UI, the free MCRO$OFT WNDOW$ user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of WNDOW$.) 12. TASK SCHEDULER. WNDOW$ executes autorun instructions in the WNDOW$ Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all WNDOW$ versions except the first version of WNDOW$ 95, but is included in WNDOW$ 95 if the MCRO$OFT Plus Pack was installed. 13. SECONDARY INSTRUCTIONS. Programs that WNDOW$ launches at startup are free to launch separate programs on their own. Technically, these are not programs that WNDOW$ launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run. 14. C:\EXPLORER.EXE METHOD. C:\Explorer.exe WNDOW$ loads explorer.exe (typically located in the WNDOW$ directory)during the boot process. However, if c:\explorer.exe exists, it will be executed instead of the WNDOW$ explorer.exe. If c:\explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot. If c:\explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe 15. ADDITIONAL METHODS. Additional autostart methods. The first two are used by Trojan SubSeven 2.2. HKEY_LOCAL_MACHINE\Software\MCRO$OFT\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Software\MCRO$OFT\WNDOW$\Curr entversion\explorer\Usershell folders Icq Inet [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\test] "Path"="test.exe" "Startup"="c:\\test" "Parameters"="" "Enable"="Yes" [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\App s\] This key specifies that all applications will be executed if ICQNET Detects an Internet Connection. [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object" "NeverShowExt"="" This key changes your file's specified extension. :54a:

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)