Autostart
Results 1 to 2 of 2

Thread: Autostart

  1. #1
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953

    Autostart

    while surfing trojanforge, i found this list of autostart methods, quite possibly a good reference for those with out an adequate AntiVirii...
    Autostart folder
    C:\windows\start menu\programs\startup {english}
    C:\windows\Menu Démarrer\Programmes\Démarrage {french}
    C:\windows\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

    This Autostart Directory is saved in :

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
    entVersion\Explorer\Shell Folders]
    Startup="C:\windows\start menu\programs\startup"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
    entVersion\Explorer\User Shell Folders]
    Startup="C:\windows\start menu\programs\startup"


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\explorer\User Shell Folders]
    "Common Startup"="C:\windows\start menu\programs\startup"


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\explorer\Shell Folders]
    "Common Startup"="C:\windows\start menu\programs\startup"
    By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory.


    Win.ini
    [windows]
    load=trojan.exe
    run=trojan.exe

    System.ini
    [boot]
    Shell=Explorer.exe trojan.exe

    c:\windows\winstart.bat
    Normal bat file restarting every time.

    Registry
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\RunServices]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\RunServicesOnce]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\Run]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\RunOnce]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
    entVersion\Run]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
    entVersion\RunOnce]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
    entVersion\RunServices]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\RunServices]
    "Whatever"="c:\runfolder\program.exe"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\RunServicesOnce]
    "Whatever"="c:\runfolder\program.exe"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\Run]
    "Whatever"="c:\runfolder\program.exe"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
    rentVersion\RunOnce]
    "Whatever"="c:\runfolder\program.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
    rentVersion\RunOnceEx\000x]
    "RunMyApp"="||notepad.exe"
    The format is: "DllFileName|FunctionName|CommandLineArguements" -or- "||command parameters"

    Microsoft Windows 98 Microsoft
    Windows 2000 Professional
    Microsoft Windows 2000 Server
    Microsoft Windows 2000 Advanced Server
    Microsoft Windows Millennium Edition

    http://support.microsoft.com/suppor...s/Q232/5/09.ASP


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
    entVersion\Run]
    "Whatever"="c:\runfolder\program.exe"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
    entVersion\RunOnce]
    "Whatever"="c:\runfolder\program.exe"


    c:\windows\wininit.ini
    'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
    Example content of wininit.ini :
    [Rename]
    NUL=c:\windows\picture.exe

    ' This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totaly stealth.

    Autoexec.bat
    something like
    c:\trojan.exe

    Registry Shell open
    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell
    \open\command]
    There should be a Key with the Value "%1 %*", if there is some kind of .exe it will be executed each time you execute a binaryfile.
    "server.exe %1 %*" would be a restart of a RAT.

    Icq Inet
    [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Ap
    ps\test]
    "Path"="test.exe"
    "Startup"="c:\\test"
    "Parameters"=""
    "Enable"="Yes"
    [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Ap
    ps\
    This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

    Explorer start-up
    Windows 95,98,ME
    Explorer.exe ist started through a system.ini entry, the entry itself contains no path information so if c:\explorer.exe exist it will be started instead of c:\$winpath\explorer.exe.
    Windows NT/2000
    The Windows Shell is the familiar desktop that's used for interacting with Windows. During system startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to determine the name of the executable that should be loaded as the Shell.
    By default, this value specifies Explorer.exe.

    The problem has to do with the search order that occurs when system startup is in process. Whenever a registry entry specifies the name of a code module, but does it using a relative path, Windows initiates a search process to find the code. The search order is as follows:

    Search the current directory.
    If the code isn't found, search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro
    l\Session Manager\Environment\Path, in the order in which they are specified.
    If the code isn't found, search the directories specified in HKEY_CURRENT_USER\Environment\Path, in the order in which they are specified.
    More info : http://www.microsoft.com/technet/se...in/fq00-052.asp
    Patch : http://www.microsoft.com/technet/su...b.asp?ID=269049
    General :
    If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed. If c:\explorer.exe is a corrupted file the user will be locked out of the system. Affects all windows version as of today.


    Active-X Component
    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
    StubPath=C:\PathToFile\Filename.exe
    Believe it or not, this does start filename.exe BEFORE the shell and any other Program normaly started over the Run Keys.
    Misc Information
    [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object"
    "NeverShowExt"=""
    The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer.
    Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension to show up.
    http://www.trojanforge.net/showthrea...=&threadid=625
    it's always nice to find out how the bad guys are doin' it, well from the bad guys
    yeah, I\'m gonna need that by friday...

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    472
    this thing can prove a lot helpful to defeat trojans and other windows malware...BTW all microsoft links are not working... i thing the dots are creating a problem...bug in AO or most probably you just copy pasted the contents without modifying the URLs
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •