Trojan Startup Methods Doc~ This is all about Trojan startup methods. Enjoy.
Win.ini = C:\windows\win.ini
[windows]
Run=
Load=
Anything filename after the run or load= will startup everytime you boot up. Please note that the file maybe hidden to the left so completely scroll over to see if there isn't a file name hidden there. Some aol.pws hide over there.
System.ini = c:\windows\system.ini
[boot]
shell=explorer.exe
C:\windows\filename
Another way to startup a file is use the shell method. The file next to explorer.exe will startup when ever windows starts up. Also scroll all the way over just to be sure. The file next explorer.exe can be deleted stoping the server from starting up that way. Also the location should be revealed with the filename. If it isn't revealed assume it is in the windows folder and search for the file name there.
Go to start> run> Type "sysedit" this will open up a program with multiple windows. One window will say system.ini one will say win.ini there will be two others ignore those. This is just an easier way of accessing system.ini and win.ini
Before we move to registry there is one folder C:\WINDOWS\Start Menu\Programs\StartUp any file in here will startup when windows is booted up.
Now the registry, Note that any changes could compromise your system so do only what we say. To access your registry go to start> run> type "regedit" without the "" A window with multiple what looks like folders should pop up e.g. HKEY_LOCAL_MACHINE.
There are multiple startup places in your registry here is a list (The more common ones are in bold the less known ones are in italics):
[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\"
%*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\"
%*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\"
%*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\"
%*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\"
%*"
If these keys don't have the "\"%1\" %*" value and are changed to "\"server.exe %1\" %*" than it is running a file on startup most likely a Trojan.
Icq
Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
This key states
that all apps will be executed if ICQNET Detects an Internet Connection.
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object"
"NeverShowExt"=""
This key changes your files specified extension.
More commonly known keys:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
Over the many years trojan's have become known it is very expected they will get better and better. Meaning our protection will have to get better and better. This evolutional cycle will keep going and going. I believe trojans will get smarter and AVP will not meet the match. Advice Don't get infected =P
Written By Doc~
(C)opyright Megasecurity.org
e mail -
[email protected]
icq - 62346999