|
|
| Places that Viruses and Trojans hide on start up |
1. START-UP FOLDER. Windows opens every item in the Start Menu's Start Up
folder. This folder is prominent in the Programs folder of the Start Menu.
Notice that I did not say that Windows "runs" every program that is
represented in the Start Up folder. I said it "opens every item." There's an
important difference.
Programs represented in the Start Up folder will
run, of course. But you can have shortcuts in the Start Up folder that represent
documents, not programs.
For example, if you put a Microsoft Word
document in the Start Up folder, Word will run and automatically open that
document at bootup; if you put a WAV file there, your audio software will play
the music at bootup, and if you put a Web-page Favourites there, Internet
Explorer (or your own choice of a browser) will run and open that Web page for
you when the computer starts up. (The examples cited here could just as easily
be shortcuts to a WAV file or a Word document, and so on.)
2. REGISTRY.
Windows executes all instructions in the "Run" section of the Windows Registry.
Items in the "Run" section (and in other parts of the Registry listed below) can
be programs or files that programs open (documents), as explained in No. 1
above.
3. REGISTRY. Windows executes all instructions in the
"RunServices" section of the Registry.
4. REGISTRY. Windows executes all
instructions in the "RunOnce" part of the Registry.
5. REGISTRY. Windows
executes instructions in the "RunServicesOnce" section of the Registry. (Windows
uses the two "RunOnce" sections to run programs a single time only, usually on
the next bootup after a program installation.)
7. REGISTRY. Windows
executes instructions in the HKEY_CLASSES_ROOT\exefile\shell\open\command "%1"
%* section of the Registry. Any command imbedded here will open when any exe
file is executed.
Other possibles:
[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command]
="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\"
%*"
If keys don't have the "\"%1\" %*" value as shown, and are
changed to something like "\"somefilename.exe %1\" %*" than they are
automatically invoking the specified file.
8. BATCH FILE. Windows
executes all instructions in the Winstart batch file, located in the Windows
folder. (This file is unknown to nearly all Windows users and most Windows
experts, and might not exist on your system. You can easily create it, however.
Note that some versions of Windows call the Windows folder the "WinNT" folder.)
The full filename is WINSTART.BAT.
9. INITIALIZATION FILE. Windows
executes instructions in the "RUN=" line in the WIN.INI file, located in the
Windows (or WinNT) folder.
10. INITIALIZATION FILE. Windows executes
instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or
WinNT) folder.
It also runs things in shell= in System.ini or
c:\windows\system.ini:
[boot]
shell=explorer.exe C:\windows\filename
The file name following explorer.exe will start whenever Windows starts.
As with Win.ini, file names might be preceeded by considerable space on
such a line, to reduce the chance that they will be seen. Normally, the full
path of the file will be included in this entry. If not, check the \Windows
directory
11. RELAUNCHING. Windows reruns programs that were running
when Windows shut down. Windows cannot do this with most non-Microsoft programs,
but it will do it easily with Internet Explorer and with Windows Explorer, the
file-and-folder manager built into Windows. If you have Internet Explorer open
when you shut Windows down, Windows will reopen IE with the same page open when
you boot up again. (If this does not happen on your Windows PC, someone has
turned that feature off. Use Tweak UI, the free Microsoft Windows user interface
manager, to reactivate "Remember Explorer settings," or whatever it is called in
your version of Windows.)
12. TASK SCHEDULER. Windows executes autorun
instructions in the Windows Task Scheduler (or any other scheduler that
supplements or replaces the Task Scheduler). The Task Scheduler is an official
part of all Windows versions except the first version of Windows 95, but is
included in Windows 95 if the Microsoft Plus Pack was installed.
13.
SECONDARY INSTRUCTIONS. Programs that Windows launches at startup are free to
launch separate programs on their own. Technically, these are not programs that
Windows launches, but they are often indistinguishable from ordinary
auto-running programs if they are launched right after their "parent" programs
run.
14. C:\EXPLORER.EXE METHOD.
C:\Explorer.exe
Windows
loads explorer.exe (typically located in the Windows directory)during the boot
process. However, if c:\explorer.exe exists, it will be executed instead of the
Windows explorer.exe. If c:\explorer.exe is corrupt, the user will effectively
be locked out of their system after they reboot.
If c:\explorer.exe is a
trojan, it will be executed. Unlike all other autostart methods, there is no
need for any file or registry changes - the file just simply has to be named
c:\explorer.exe
15. ADDITIONAL METHODS.
Additional autostart
methods. The first two are used by Trojan SubSeven 2.2.
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell
folders
Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
This key
specifies that all applications will be executed if ICQNET Detects an Internet
Connection.
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap
object"
"NeverShowExt"=""
This key changes your file's specified
extension.
|
|
|
|
|
|
Home
