More About
How Trojans Start Up On Your Computer
Many malicious programs use "startup methods",
therefor this layer of protection not only protects you
from Trojans, but worms and other bugs as well.
There are some common exploits that allow others to copy
files onto your computer, but not to run them. Such would
include some Internet Explorer exploits if no critical updates
have been done, FTP or HTTP servers, third party programs
that allow uploading or downloading, such as the more popular
music sharing programs.
Getting the file to run is another story. Either they hope
that the file will gain your curiosity and you will run
it, or they will have it copied to a place where the file
will run automatically when you reboot. (note: newer
exploits now allow files to be run at upload
time)
As long as you have Hacker Eliminator running on the system
at the time this file has been copied to your startup folder,
you will ALWAYS get a warning that XXX program was just
added to your system startup and will be starting when you
reboot.
Options are included in Hacker Eliminator to "undo"
the changes that have been made to your system, if you do
not desire the program to startup.
All remote access Trojans MUST have a startup method to
survive on your system after it has been rebooted.
Hacker Eliminator detects the known startup methods below
as well as other proprietary ones.
Win.ini
This startup method adds the trojan file name to the run=
or load= lines. This is detected in Hacker Eliminator as
Startup Method : WIN.INI - LOAD
System.ini
This startup method adds the trojan file name to the shell=
line. This is detected in Hacker Eliminator as Startup
Method : SYSTEM.INI - SHELL
Autoexec.bat
This startup method adds the trojan file name to any line.
Sometimes the trojan will be added with an "@"
as in @trojan.exe, so that it will not display to the user
during the boot. This is detected in Hacker Eliminator as
a file change that shows the added line.
Winstart.bat
This startup method adds the trojan file name to any line.
This is detected in Hacker Eliminator as a file change that
shows the added line.
Wininit.ini
This startup method adds the trojan file name to any line.
This is detected in Hacker Eliminator as a file change that
shows the added line.
Config.sys
This startup method adds the trojan file name to any line.
This is detected in Hacker Eliminator as a file change that
shows the added line.
Startup Folder (common)
This startup method adds the trojan file or link to \Windows\Start
Menu\Programs\Startup\
Startup Folder (advanced)
This startup method changes the registry and creates an
additional startup folder in addition to the already existing
one found in the location shown above. This new startup
folder can be at any location in the infected computer,
but will be found mostly buried deep into directory structure
so that it may be unnoticed by the user. For example:
\Windows\System\OOBE\HTML\Mouse\Driver\My Startup\
The registry key change value to add this second startup
folder is
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders
Startup="C:\Windows\System\OOBE\HTML\Mouse\Driver\My
Startup"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders
Startup="C:\Windows\System\OOBE\HTML\Mouse\Driver\My
Startup"
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User
Shell Folders
"Common Startup"="C:\Windows\System\OOBE\HTML\Mouse\Driver\My
Startup"
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell
Folders
"Common Startup"="C:\Windows\System\OOBE\HTML\Mouse\Driver\My
Startup"
By changing the above keys, ALL and EVERY executable inside
the folder "My Startup" will launch at reboot.
Registry
Common registry startup detection is covered as:
HKLM/Software/Microsoft/Windows/CurrentVersion/
Run (detected as Startup Method : Registry (LM) - Run process
name)
RunOnce (detected as Startup Method : Registry (LM) - RunOnce
process name)
RunServices (detected as Startup Method : Registry (LM)
- RunServices process name)
RunServicesOnce (detected as Startup Method : Registry (LM)
- RunServicesOnce process name)
HKCU/Software/Microsoft/Windows/CurrentVersion/
Run (detected as Startup Method : Registry (CU) - Run process
name)
RunOnce (detected as Startup Method : Registry (CU) - RunOnce
process name)
RunServices (detected as Startup Method : Registry (CU)
- RunServices process name)
RunServicesOnce (detected as Startup Method : Registry (CU)
- RunServicesOnce process name)
Registry
Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\"
%*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\"
%*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\"
%*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\"
%*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\"
%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command]
@="\"%1\"%*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
@="\"%1\" %*"
The key should have a value of (Value "%1 %*"),
if this is changed to ("server.exe %1 %*"), the
server.exe is executed EVERY TIME an exe/pif/com/bat/hta
is executed. These keys are commonly known as Unkown Startup
Method and are currently used by the Subseven Trojan.
ICQ NetDetect
HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\mystart
"Path"="testme.exe"
"Startup"="c:\"
"Parameters"=""
"Enable"="Yes"
HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
The key shown above includes all the programs which are
executed IF ICQNET Detects an Internet Connection. This
is detected in Hacker Eliminator as: Startup Method : ICQ
NetDetect (process name)
Explorer start-up
Windows 95,98,ME Explorer.exe is started through a system.ini
entry, the entry itself contains no path information, if
c:\explorer.exe exist, it will be started instead of c:\$winpath\explorer.exe.
Windows NT/2000
The Windows Shell is the familiar desktop that's used for
interacting with Windows. During system startup, Windows
NT 4.0 and Windows 2000 consult the "Shell" registry
entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell,
to determine the name of the executable that should be loaded
as the Shell. By default, this value specifies Explorer.exe.
This problem has to do with the search order that occurs
when system startup is in process. Whenever a registry entry
specifies the name of a code module, but does it using a
relative path, Windows initiates a search process to find
the code. The search order is as follows:
Search the current directory. If the code isn't found,
search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Environment\Path, in the order in which they are
specified. If the code isn't found, search the directories
specified in HKEY_CURRENT_USER\Environment\Path, in the
order in which they are specified. More info : http://www.microsoft.com/technet/security/bulletin/fq00-052.asp
Patch : http://www.microsoft.com/technet/support/kb.asp?ID=269049
Note : If a trojan installs itself as c:\explorer.exe
no run keys or other start-up entries are needed. If c:\explorer.exe
is a corrupted file the user will be locked out of the system.
This affects all windows versions as of today. Hacker Eliminator
will warn you if explorer is added to the root directory.
Active Setup Component
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed
Components\KeyName
StubPath=C:\PathToFile\Filename.exe
The above key will start filename.exe BEFORE the shell and
any other Program is started by the Run Keys. After the
program is started another key will be created in HKEY_CURRENT_USERS
to keep the program from starting at next reboot.
Trojans that we have researched that use this startup method
simply delete the CURRENT_USERS key when the trojan starts
to insure that the Active Setup key continues to work each
time the computer is restarted.
No
Startup Method Used:
If someone infects you with a Trojan that does not use a
startup method, they do not want to set off alarms in protection
programs that may be monitoring startup files. In this case
the hacker can only access the computer at the time of infection
and before a system reboot. If Hacker Eliminator is active
and in default configuration mode, the Trojan server will
still be detected as a new process by our third layer of
protection, at which point it can be killed and disabled.
Back to our guarantee
page.
|
