Jump to content











Photo

Viruses Start Points in Windows XP


  • Please log in to reply
2 replies to this topic

#1 Shirin Zaban

Shirin Zaban

    Frequent Member

  • Tutorial Writer
  • 423 posts
  • Location:Tehran
  • Interests:1_Making Unattended and Customized XP<br /><br />2_Making different types of Bootable and Multiboot CD/DVD<br /><br />3_Like to learn more about grub and grub4DOS
  •  
    Iran

Posted 16 August 2008 - 07:43 AM

=============================================================================
Viruses Start Points in Windows XP
=============================================================================

Hi

When a virus comes to a system,it should be run to Do it's work,if not,noting will be happened.
So virus writers use a lot of tricks to make their dangerous file to run.

They know that their file should be run in a maner That:

Not visible by user.
Not notifying user.
Not easily detectable by user.
Not stopable by user after getting detected.
Not deletable by user.
and a lot of other tricks.

They mostly use Registry to do their work,and most of the times,they lock registry and you will not
be able to edit your registry.

Most of the times their commands are so that if you find the viruse and delet that,the virus will be
created again in other place by other name.and some times you will not be able to delet them in
normal manners.

So what should we do to overcom this problem ?

I think we should do two thing to be less on danger.(I say less on danger because every day we
encounter with new viruses ,worms trojans and ... and also virus writers get clever every day):

1.Having (always) updated security programs running in our system (firwall,antivirus,...)

2.Learning the ways and tricks that virus writers use.

Any way even you Do recomandations above ,as i tolled befor, do not think that your system is safe.

==================================================================

I am not so expert in this subject,and also i am not going to discuss about viruses here,i just will
introuduce you the common places that viruses run from there.

==================================================================
---
1_
---

Any executable file that you put in your ....\windows\start menu\programs\startup folder will be
run during startup.This folder is saved in address below:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell

---
2_
---

You can use any of addresses below in registry to run your applications:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Any_name"="c:\..\your_file.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Any_name"="c:\..\your_file.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Any_name"="c:\..\your_file.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Any_name"="c:\..\your_file.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\000x]
"RunMyApp"="||notepad.exe"

The format is: "DllFileName|FunctionName|CommandLineArguements" -or- "||command parameters"
Windows 98,ME,2000 Pro,2000 Server,2000 Advanced Server

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Any_name"="c:\..\your_file.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Any_name"="c:\..\your_file.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

---
3_
---

If you place any command in (%1\" %*") section in lines below,after that,if you click to any EXE file
The command that you embede,will be run instead of clicked EXE file:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"


---
4_
---

In lines below,The key should have a value of "%1 %*", if this is changed for example to
"server.exe %1 %*",the server.exe is executed EVERYTIME an exe/pif/com/bat/hta file is executed.
Known as Unkown Starting Method and is currently used by Subseven.

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"


----
5_
----

If you do as below ,your_file.exe will start befor shell and any other programs.

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\...\your_file.exe

==============================================================================

There are a lot of other places that viruses can execute.search the web for more information.
i have just wanted to start a subject to talk about.

Hope other friends will help and will continue.

The last note that i would like to say is about registry.

1.There are some extentions that even you unhide all extentions in windows ,the windows will not
show them (for example .shs, .pif , .lnk and else).

So for example if virus writer make a virus by the extention of ".shs" and rename that to
"Notepad.exe.shs",becaus windows does not show .shs extention,so we will see that as "Notpad.exe"
and if we double click on it,the system will not open notpad.exe,it will open "notepad.exe.shs"
or in other word it will run virus!!

In the same manner files like files below can be virus but we do not know:

car.jpg, may be "car.jpg.shs"
readme.txt ,may be "readme.txt.pif"

and else..

So we should do some registry changes to show "super hide extention",for this purpose ,Search registry
for occurance of a value named "NeverShowExt" and delete the value "NeverShowExt".
for example for unhidding ".shs" extention delete "NeverShowExt" in address below:

HKEY_CLASSES_ROOT\shellscrap\nevershowext
HKLM\software\classes\shellscrap\nevershowext


Note: Editting registry is dangerous,if you are not familiare by that,it can make your system
to work bad or not work.so do it in your own risk.

2.Some times The virus writers will lock your registry,and you will not be able to edit reg.There are
a lot of programs that can unlock it(for example small program "QuickLock.exe" can lock or
unlock your registry an some other settings).

===========================================================

have fun

hope other friends will continue

shirin zaban

#2 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10562 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 16 August 2008 - 11:46 AM

Good tutorial.

I liked a lot of your explanations regarding how to stealth the execution of another exe and this one for hidden startup entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName

StubPath=C&#58;\...\your_file.exe

To keep things safe I use these freeware tools:

SpyBot Search and Destroy --> Good archive of malware detection and resident registry protection
ASquared HijackFree --> Many options to disable the startup entries and uninstall fishy services
Ninja pendisk --> small tool I made to keep pendisks clean


Would be good to hear what others are using as well.

:whistling:

#3 JonF

JonF

    Gold Member

  • .script developer
  • 1185 posts
  • Location:Boston, MA
  •  
    United States

Posted 16 August 2008 - 12:48 PM

I like Startup Inspector (http://www.windowsstartup.com/) because its "Consult" button gets descriptions for many startup entries, and each entry has a link to Google it.

Another registry location of interest is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run, which Winlogon consults when it starts and before it stops (and on several other events) . Some particularly nasty malware (e.g. CoolWebSearch, Smitfraud) uses this to rename their key files at every startup/shutdown and avoid "Delete at next boot" Post-it notes left by Dr. Delete, Unlocker, Spybot, Ad-Aware, and the like. Processes started from this key cannot be shut down in Task Manager because they are system processes.

O20 AppInit_DLLs and Winlogon Notify
Taking Advantage of the Winlogon Notification Package




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users