|
-
March 4th, 2005, 02:12 AM
#7
Hi
If you want to know where malware is possibly hiding , I have maintained
a little list - which might be far from complete. Part of it has already
been mentioned here, some point haven't:
(I haven't written down all sources, so I cannot give credit to
whomever - edit: [1],[2],[3]). In the governmentsecurity[1], [coder]
has a few more.
Code:
system.ini (Shell=Explorer.exe malware.exe)
Win.ini (load=malware.exe or run=malware.exe)
Startup folder: Start->Programs->Startup
Windows Scheduler (task scheduler or "at" for scheduled tasks)
autoexec.bat - unknown files with .exe, .scr, .pif, .com, .bat
config.sys - unknown files
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
"legitimate" file names at wrong position or similar file names
(svchost in %SystemRoot%\Wins, taskmngr.exe, ...)
unknown services
anyone knows about this "secret" method in sub7
I heard, sub7 actually infects a system file, which is running, leaving its
functionality intact. I don't know whether this is true. But if, this would be nothing
new:
In the good old days, when virii have been shipped around on 5 1/4 discs  ,
they attached themselves to .exe and .com files, leaving the "victims" working
intact, while at the same time, enabling themselves to spread around.
I am aware that such a question sounds rather suspicious. However,
full disclosure is the way to go in my opinion. Better one knows where these beasts
can hide, rather than ignorance.
Cheers.
[1] http://forums.governmentsecurity.org...showtopic=2721
[2] http://archives.neohapsis.com/archiv...3-04/0119.html
[3] http://www.mac-net.com/570488.page
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote