:: All Known and (so called) Unknown Autostart Methods ::

Last updated, please email me at munir@nohack.net if there are any updates

By tuya
#NoHack / Dal.Net
Contact: tuya70@yahoo.com

Autostart Methods

In the following pages you’ll see that this article contains most, (I guess it has all) autostart methods that Windows is using everytime you reboot. The aim of this article is actually giving out the Autostart Methods so that you can find out a bit by yourself how the trojans are working after you run them and also for to let you find the unknown ones. Because as you all know after running a scan on our system with a known Antivirus, we can detect most of the known virii/trojans/bots/etc with them. But as i said before, the aim for this article is to detect the unknown trojans by manually.
I guess that’s enough, i’m bored too ..here we go guys ..enjoy 🙂

So whatever you do, do it at your own risk. I’ve explained everything in detail so everything is clear. If you do something wrong, that is your problem.


Startup Methods

%windir%\Start Menu\Programs\StartUp {English}
%windir%\All Users\Start Menu\Programs\StartUp {English}
%windir%\Menu Démarrer\Programmes\Démarrage {French}
%windir%\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

Any file in Start Up directory copied or linked, will start when Windows is booted.So deleteing unknown/suspicious files from that location will be a good idea.

This Autostart Directory is saved in :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup=”%windir%\Start menu\programs\startup”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup=”%windir%\Start menu\programs\startup”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
“Common Startup”=”%windir%\Start menu\programs\startup”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
“Common Startup”=”%windir%\Start menu\programs\startup”

By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory.
Addendum : as of 10/03/2001 Subseven 2.2 now uses this method.

  • The Shell=Explorer.exe line in %windir%\system.ini

Another way to start a file is use the shell method. The file name following explorer.exe will start whenever Windows starts. It can be anything next to the shell=Explorer.exe so be sure that there is no other things by that.

  • The load= line in %windir%\win.ini Under the [windows] section.

That’s a well known but also an unknown autostart method that trojan authors using for years. You need to be sure that the ‘load=’ line in ‘%windir%\win.ini’ (without the quotes) has no other file names next to it. Such as ‘load= pic.exe’, if you see a file name next to the load= you’d better delete it. File names can be hidden by placing them to the far right of one of these lines. Some AOL password capture parograms do that.

  • The run= line in %windir%\win.ini Under the [windows] section.

Well, that’s same with ‘load=’. So if you see anthing in here to, delete it.*

* In some cases the file next to the ‘load=’ and the ‘run=’ lines, could be placed there by any program that you use, or that could be a driver file of your hardware, but that’s rare.

The following keys are the most common start up methods for Windows OS’s such as :

  • Microsoft Windows 98 / SE
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows Millennium Edition
  • Microsoft Windows XP

 

DISCLAIMER
Modifying the registry can cause serious problems that may require you to reinstall your operating system. We cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.
As a detail, the file name you see in the Right Pane like, “whatever”=”C:\Windows\Zip.exe”,
will run each time your windows reboots. That’s an old trick too which trojan authors used for years but it is still in use by most trojans around.So you need to be sure that you know every string and what it is in the Right Panel.

What Is The Registry ?

The Registry is a hierarchical database within later versions of Windows (95/98/NT4/NT5) where all the system settings are stored. It has replaced all of the .ini files that were present in Windows 3.x. The data from system.ini, win.ini, control.ini, are all contained within it now, along with hundreds of other system settings. Additionally, all Windows specific programs are now to store their initialization data within the Registry instead of in .ini files in your Windows folder.

About The Registry Editor..

The Registry cannot be viewed or edited with a normal editor – you must use a program included with Windows called RegEdit (Registry Editor) for Windows 95 & 98 or RegEdit32 for Windows NT 4 & 5. This program isn’t listed on your Start Menu and it is well hidden in your Windows directory. To run this program, just click on Start, Run, and type regedit (for Win 9x) or regedit32 (for Win NT) in the input field. This will start the Registry Editor. You can add this to the Start Menu or to the desktop for easier editing.

Registry Subtree
MY COMPUTER

  • HKEY_CLASSES_ROOT: Contains software settings about drag-and-drop operations, handles shortcut information, and other user interface information. There is a subkey here for every file association that has been defined.
  • HKEY_CURRENT_USER:Contains information regarding the currently logged-on user.
    • AppEvents: Settings for assigned sounds to play for system and applications sound events.
    • Control Panel: Control Panel settings, similar to those defined in System.ini, Win.ini and Control.ini in Windows 3.xx.
    • InstallLocationsMRU: Contains the paths for the Startup folder programs.
    • Keyboard layout: Specifies current keyboard layout.
    • Network: Network connection information.
    • RemoteAccess: Current log-on location information, if using Dial-Up Networking.
    • Software: Software configuration settings for the currently logged-on user.
  • HKEY_LOCAL_MACHINE:Contains information about the hardware and software settings that are generic to all users of this particular computer.
    • Config: Configuration information/settings.
    • Enum: Hardware device information/settings.
    • Hardware: Serial communication port(s) information/settings.
    • Network: Information about network(s) the user is currently logged on to.
    • Security: Network security settings.
    • Software: Software specific information/settings.
    • System: System startup and device driver information and operating system settings.
  • HKEY_USERS: Contains information about desktop and user settings for each user that logs on to the same Windows 95 system. Each user will have a subkey under this heading. If there is only one user, the subkey is “.default”.
  • HKEY_CURRENT_CONFIG: Contains information about the current hardware configuration, pointing to HKEY_LOCAL_MACHINE.
  • HKEY_DYN_DATA: Contains dynamic information about the plug-and-play devices installed on the system. The data here changes if devices are added or removed on-the-fly.

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
“Blah Blah”=”The_Location_Of_The_Trojan”

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce
“Blah Blah”=”The_Location_Of_The_Trojan”

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
“Blah Blah”=”The_Location_Of_The_Trojan”

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunServices
“Blah Blah”=”The_Location_Of_The_Trojan”

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
“Blah Blah”=”The_Location_Of_The_Trojan”

Hkey_Local_Machine\Software\\Microsoft\Windows\CurrentVersion\RunOnceEx\000x “RunMyApp”=”||notepad.exe”
The format is: “DllFileName|FunctionName|CommandLineArguements” -or- “||command parameters”

Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
“Blah Blah”=”The_Location_Of_The_Trojan”

Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\RunOnce
“Blah Blah”=”The_Location_Of_The_Trojan”

Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\RunServies
“Blah Blah”=”The_Location_Of_The_Trojan”

Subkeys (Static VxDs) under Hkey_Local_Machine\System\CurrentControlSet\Services\VxD\

The [386enh] section of %windir%\system.ini (this includes the scrnsave.exe= line in system.ini which can be used to run things on your system.

The [boot] section of %windir%\system.ini (this includes the scrnsave.exe= line in system.ini which can be used to run things on your system

The IOSUBSYS folder (drivers load automatically)
That’s easy huh ? That means anything in that folder will run in each time ur windows reboots.

The VMM32 folder (drivers that take precedence over those built into vmm32.vxd)

config.sys

autoexec.bat
Starts everytime at Dos Level.

winstart.bat
Note behaves like an usual BAT file. Used for copying/deleting specific files. Autostarts everytime you reboot.

wininit.ini
* Bonus item – files can be [runonce,] deleted or renamed from the wininit.ini file.

‘Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example content of wininit.ini :

[Rename]
NUL=%windir%picture.exe

‘This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totaly stealth.
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.exe is executed.

 

[HKEY_CLASSES_ROOT\comfile\shell\open\command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.com is executed.

[HKEY_CLASSES_ROOT\batfile\shell\open\command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.bat is executed.

[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_CLASSES_ROOT\htafile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.hta is executed.

[HKEY_CLASSES_ROOT\piffile\shell\open\command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.pif is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.bat is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.com is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.exe is executed.
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.hta is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @=”\”%1\” %*”
The key should have a value of Value “%1 %*”.
Backdoor example:
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @=”\”trojan.exe %1\” %*”

With such registry entries, the trojan.exe is executed each time an *.pif is executed.


[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
“Path”=”test.exe”
“Startup”=”c:\\test”
“Parameters”=””
“Enable”=”Yes”

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

The following two are used by Sub7 2.2
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName stubPath=C:\PathToFile\Filename.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User shell folders
This does start filename.exe BEFORE the shell and any other Program normaly started over the Run Keys.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @=”Scrap object” “NeverShowExt”=””
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as “Girl.jpg.shs” it displays as “Girl.jpg” in all programs including Explorer.
Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension to show up.

Explorer Autostarts :
Windows 95,98,ME
Explorer.exe ist started through a system.ini entry, the entry itself contains no path information so if c:\explorer.exe exist it will be started instead of %windir%\explorer.exe.

Windows NT/2000
The Windows Shell is the familiar desktop that’s used for interacting with Windows. During system startup, Windows NT 4.0 and Windows 2000 consult the “Shell” registry entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe.

The problem has to do with the search order that occurs when system startup is in process. Whenever a registry entry specifies the name of a code module, but does it using a relative path, Windows initiates a search process to find the code. The search order is as follows:
* Search the current directory.
* If the code isn’t found, search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path, in the order in which they are specified. The default settings for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path and HKEY_CURRENT_USER\Environment\Path are “%SystemRoot%\System32;%SystemRoot %” and null, respectively. Because the current directory during system startup is %SystemDrive%\, the resulting search path would be:

1. %SystemDrive%\ (e.g., C:\)
2. %SystemRoot%\System32 (e.g., C:\WINNT\System32)
3. %SystemRoot% (e.g., C:\WINNT)

The vulnerability results because the default permissions on %SystemDrive%\ allow all interactive users to write to it. Thus, on a machine that boots from the C: drive, if a malicious user placed a bogus Explorer.exe into C:\, the search order would cause it, rather than the bona fide Explorer.exe, to be loaded and executed each time a user on the machine logged on.
General :
If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed. If c:\explorer.exe is a corrupted file the user will be locked out of the system. Affects all windows version as of today.