[zz]Common loading points for viruses, worms, and Trojan horse programs on Windows 2000/XP/2003
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2001060517115206?Open&seg=ent
Question/Issue:
You want to know the most common load points that are used by viruses, worms, or Trojans under Windows 2000/XP/2003.
Solution:
This document describes some common loading points for threats in Windows 2000/XP/2003. This document assumes that you have a working knowledge of file management and how to edit the registry.
By far, the most effective way to prevent and detect threats is to run a current Symantec AntiVirus product and keep the virus definitions updated.
The Windows 2000/XP/2003 environments, while not immune, are somewhat more resistant to viruses, worms, and Trojans than are Windows 98/Me. In Windows 2000/XP/2003, the most common loading points for these threats are in the registry.
WARNING: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.
The loading feature will normally be in the right pane of the following keys and will usually refer to the file name of the threat. Check these keys for suspicious entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
With this branch selected, look in the right pane for the value: Userinit
This value should contain only C:\WINDOWS\system32\userinit.exe, and have no additional programs specified after the comma.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
With this branch selected, look in the right pane for the value: load
This value should be blank.
If you suspect that a system is infected, then examine each of these keys. Determine whether Value Name or Value Data, including the (Default) value, refers to a suspicious file.
Browser Helper Object (BHO)
Looking for suspicious entries that may have been added as a BHO is much more complex than looking at the values of the keys shown above, as most BHOs are legitimate. Also, this requires you to look at two different areas in the registry.
- Go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- Directly under that key, in the left pane, look for any CLSID sub keys.
They will look similar to this example:
{06949E9F-C8D7-4D59-B87D-797B7D6BE0B3}
- Write down each of the strings that you find (or copy and paste it into Notepad.)
- Browse to and expand the subkey:
HKEY_CLASSES_ROOT\CLSID\<string of letters and numbers>
where <string of letters and numbers> is what you wrote down in step 3. - Under the expanded subkey, select the InProcServer32 key.
- In the right pane, in the Name and Data columns--including the (Default) value--look for any file name that look suspicious.
- Search either the hard drive or the Web--or both--to either confirm or deny these suspicions. Only if you can confirm that the file name is linked to a malevolent file should you delete the value.
Other load points
Another possible method that is used to load an infector is to hide a file and place it--or a shortcut to it--in one of the Startup folders. In Windows NT-based environments, there can be multiple Startup folders.
- On the Windows desktop, right-click Start > Open All Users.
- Double-click Programs.
- Double-click Startup.
- Look for any suspicious files. Normally these will be shortcuts, but you may find .exe, .hta, or similar files. Be sure to set the view options to Show all files and to display file extensions.
- Repeat steps 2 through 4 for the current user's Startup group by right-clicking Start and then clicking Open.
Less common are loaders that hackers have placed on the system. These can be located in many different locations. In many cases, they can be found only by scanning with your Symantec AntiVirus product using current definitions.
Due to the nature of Windows 2000/XP, many threats run as a process, so that they can be protected by the operating system after they are executed. To look for these, open the Task Manager and look for them on the Processes tab. Because there are many processes running, you must either know the name of a specific process to look up (for example, as described in a virus write-up) or the names of processes that normally run on your computer.
- Close all programs, saving any work.
- Press Ctrl+Shift+Esc to open the Task Manager.
- On the Process tab, click Image Name twice to sort the processes.
- Look through the list for possible threats. When a suspicious process is located, select it, and then click End Process.
- You can now locate and delete the loader files, and then remove any load points from the registry.
References:
For information on common loading points for Windows 9x and Windows 3.1x operating systems, read Common loading points for viruses, worms, and Trojan horse programs on Windows 98/95/3.1x.