Added to the Collection of Autostart Locations found here:
http://gladiator-antivirus.com/forum/index...st=0#entry88429
43. Autorun.inf files
Although the great majority of Flash drives do not automatically autorun on insertion, the addition of an autorun.inf file can cause them to spread infection. Accessing an infected flash drive through My Computer (Clicking on the drive) will cause that autorun.inf to run.
If the autorun.inf is written a certain way, when the autoplay screen comes up on insertion, the user can be tricked into running a nasty file. By clicking an icon in the "use this program to run"... dialog, a non legit program added to the autorun.inf file on that drive can be run:
shell\open\command=trojan.exe
Some malware add autorun.inf files to the root and all logical drives.
Examples of malware using these techniques:
http://www.symantec.com/security_response/...-99&tabid=2
http://www.symantec.com/security_response/...-99&tabid=1
http://www.symantec.com/security_response/...-99&tabid=2
44. App Paths
One major purpose of the “App Paths” registry key is to map the name of an application's executable file to the file's fully qualified path.
An App Paths subkey for a particular application (in this case iexplore.exe) will look something like this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE]
@="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"
"Path"="C:\\Program Files\\Internet Explorer;"
As a result one can type iexplore in the "Run" dialogue box without including the full path, and an instance of Internet Explorer will be started.
Malware could alter a file path by pointing to itself so that "trojan.exe" would be launched instead of the original application!
Some examples of malware using this technique:
http://www.symantec.com/security_response/...-99&tabid=2
http://www.sophos.co.uk/security/analyses/trojbckdrpuq.html
... plus a number of edits and corrections....
Full Version: Added to the Autostarts topic...
Just curious Tony, how does your list compare to the following?
Silent runner's or
Grime's Where Windows malware hides
Are these 3 the most comprehensive lists out there?
Which applications cover the most ground?
Mark Russinovich's Autoruns , the Silent Runner script or Merijn's StartupList or something else?
Silent runner's or
Grime's Where Windows malware hides
Are these 3 the most comprehensive lists out there?
Which applications cover the most ground?
Mark Russinovich's Autoruns , the Silent Runner script or Merijn's StartupList or something else?
Hi Luser,
My List limits itself to "autostart locations" proper, and as for those it is close to comprehensive.
There are of course numerous other registry keys and values that can be 'hacked' by malware, and the SilentRunners script lists a number of those as well, as does Grime's List although I notice it hasn't been updated in a while.
Autoruns and Startuplist2 both cover a lot of ground
My List limits itself to "autostart locations" proper, and as for those it is close to comprehensive.
There are of course numerous other registry keys and values that can be 'hacked' by malware, and the SilentRunners script lists a number of those as well, as does Grime's List although I notice it hasn't been updated in a while.
Autoruns and Startuplist2 both cover a lot of ground
Added:
Print Monitors
The "driver" string value in a subkey of the following Registry key defines the DLL filename for the appropriate print monitor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
This too can be a launch point used by malware; example:
http://www.trendmicro.com/vinfo/grayware/v....A&VSect=Td
... also a mention that in the following keys as well, a "Shell" string value can be used to specify an alternate user interface for Windows 2000 and XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Print Monitors
The "driver" string value in a subkey of the following Registry key defines the DLL filename for the appropriate print monitor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
This too can be a launch point used by malware; example:
http://www.trendmicro.com/vinfo/grayware/v....A&VSect=Td
... also a mention that in the following keys as well, a "Shell" string value can be used to specify an alternate user interface for Windows 2000 and XP:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
Hey Tony,
will add this to already translated part on Zebulon
OK ?
tirol.
will add this to already translated part on Zebulon
OK ?
tirol.
Sure, go right ahead. :)
Note that the last few times I've updated it there have been other changes, edits and additions as well throughout the article...
Note that the last few times I've updated it there have been other changes, edits and additions as well throughout the article...
QUOTE
Note that the last few times I've updated it there have been other changes, edits and additions as well throughout the article...
tricycle
L0L! 
I do edit all English language topics myself. However, although my French is pretty good, having lived in Brussels for twelve year, my knowledge of computer terminology in that language is nil, so I'm afraid I can't help you there...
I do edit all English language topics myself. However, although my French is pretty good, having lived in Brussels for twelve year, my knowledge of computer terminology in that language is nil, so I'm afraid I can't help you there...
Updated, a number of edits, new links and corrections + added:
46. LSA Authentication Packages and Notification Packages
Lsass.exe, the "Local Security Authentication Server", generates the process responsible for authenticating users for the Winlogon service.
At System startup, the LSA will load the authentication package DLLs referenced in the following registry value:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"
A recent variant of Virtumonde/Vundo malware adds to this registry value in order to load a dll into memory:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnlli.dll
Other REG_MULTI_SZ values to watch in this registry key are:
Notification Packages, which specifies the dlls that are loaded or called when passwords are set or changed.
Security Packages, containing the path to the security package dll loaded into memory
47. "UIHost" string value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
This value data specifies the path to the dll implementing the Welcome screen, the default being logonui.exe
A rogue dll could be loaded into memory in this manner.
46. LSA Authentication Packages and Notification Packages
Lsass.exe, the "Local Security Authentication Server", generates the process responsible for authenticating users for the Winlogon service.
At System startup, the LSA will load the authentication package DLLs referenced in the following registry value:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"
A recent variant of Virtumonde/Vundo malware adds to this registry value in order to load a dll into memory:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnlli.dll
Other REG_MULTI_SZ values to watch in this registry key are:
Notification Packages, which specifies the dlls that are loaded or called when passwords are set or changed.
Security Packages, containing the path to the security package dll loaded into memory
47. "UIHost" string value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
This value data specifies the path to the dll implementing the Welcome screen, the default being logonui.exe
A rogue dll could be loaded into memory in this manner.
Added:
49. Session Manager\SubSystems (Windows NT/2000/XP/Vista)
During the Boot process smss.exe, the Session Manager, among other things loads subsystems defined in the following Registry key:
HKEY_Local_Machine\System\CurrentControlSet\Control\Session Manager\SubSystems
The typical value data for the "Windows" REG_EXPAND_SZ registry value in this key would be:
Recently malware has appeared on the scene that replaces the default basesrv.dll server dll in order to load a rogue dll into memory:
http://www.sophos.com/security/analyses/trojagentgjs.html
Also see here
50. ShellIconOverlayIdentifiers (Windows NT/2000/XP/Vista)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
Legitimate software can create a subkey here in order to implement a shell icon overlay identifier.
Malware can of course do this just as well, for example:
The default value data of HKEY_CLASSES_ROOT\CLSID\{11111111-1234-1234-1234-111111111111}\InProcServer32 would then point to a rogue dll to be loaded into memory
51. Drivers32 (Windows NT/2000/XP/Vista)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
String values in this registry key define the dlls for various applications
Recenty, malware has been observed writing to this key installing itself as a .midi driver, causing it to be loaded in all applications that use sound:
http://vil.nai.com/vil/content/v_143943.htm
http://www.symantec.com/security_response/...-99&tabid=2
It is likely that other values in this key can be exploited as well.
49. Session Manager\SubSystems (Windows NT/2000/XP/Vista)
During the Boot process smss.exe, the Session Manager, among other things loads subsystems defined in the following Registry key:
HKEY_Local_Machine\System\CurrentControlSet\Control\Session Manager\SubSystems
The typical value data for the "Windows" REG_EXPAND_SZ registry value in this key would be:
CODE
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
Recently malware has appeared on the scene that replaces the default basesrv.dll server dll in order to load a rogue dll into memory:
http://www.sophos.com/security/analyses/trojagentgjs.html
Also see here
50. ShellIconOverlayIdentifiers (Windows NT/2000/XP/Vista)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
Legitimate software can create a subkey here in order to implement a shell icon overlay identifier.
Malware can of course do this just as well, for example:
CODE
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Malware
@={11111111-1234-1234-1234-111111111111}
@={11111111-1234-1234-1234-111111111111}
The default value data of HKEY_CLASSES_ROOT\CLSID\{11111111-1234-1234-1234-111111111111}\InProcServer32 would then point to a rogue dll to be loaded into memory
51. Drivers32 (Windows NT/2000/XP/Vista)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
String values in this registry key define the dlls for various applications
Recenty, malware has been observed writing to this key installing itself as a .midi driver, causing it to be loaded in all applications that use sound:
CODE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi1"="rogue.dll"
"midi1"="rogue.dll"
http://vil.nai.com/vil/content/v_143943.htm
http://www.symantec.com/security_response/...-99&tabid=2
It is likely that other values in this key can be exploited as well.
Added:
5c. Terminal Server Autorun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
and:
52. BootVerificationProgram (Windows NT/2000/XP/Vista)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
The BootVerificationProgram subkey stores data about custom startup verification programs, see here
An ImagePath REG_EXPAND_SZ value could be created here specifying the path to a rogue executable.
53. Backup, disk error checking, disk cleanup, and disk defragmentation paths (Windows NT/2000/XP/Vista)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath
The default value in each of these registry keys contains the path to the default application Windows uses for the purpose in question. These could be substituted by rogue applications.
5c. Terminal Server Autorun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
and:
52. BootVerificationProgram (Windows NT/2000/XP/Vista)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
The BootVerificationProgram subkey stores data about custom startup verification programs, see here
An ImagePath REG_EXPAND_SZ value could be created here specifying the path to a rogue executable.
53. Backup, disk error checking, disk cleanup, and disk defragmentation paths (Windows NT/2000/XP/Vista)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath
The default value in each of these registry keys contains the path to the default application Windows uses for the purpose in question. These could be substituted by rogue applications.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.