TUCoPS :: Malware :: suspects.txt

The Usual Suspects - where Viri and Trojans hide

The Usual Suspects 

CONTENTS:
Processes
DOS startup files
Windows autostart folder
Windows startup files
Windows registry
Registry shell spawning
.hta files
.vbs files
.shs files
Executables that are worth scanning
Individual program startup files
Boot sector
Others
Notes
Credits

Trojans and virii have one thing in common. They mostly want to start when your computer does, to keep you infected as long as possible. In Windows, there
are only a few places where programs can start up automatically, and it is in these places the virus/trojan has to put in an appearance if it is going to start up
when windows does. Usually. This bottleneck helps you, the user, when you have a virus or trojan, and it is worth familiarising yourself with the following just
in case you get a new virus, or one that your viruschecker can't see. We're going to get a little bit technical, but nothing too difficult. 


1. The programs that are running in the background, or 'processes'. When you start your computer, before you open any other programs, there are a
few programs (or lots, depending on your system) already running. There is a built-in process viewer in Windows (press the [CTRL][ALT]+[DEL] keys down
once(!)....the '3-finger salute') that will show some of the processes that are currently running. To get a complete list, you'll need a process-viewer program
(PrcView is a freeware example that works well). It's worth knowing what's running on your computer for several reasons: 1) If you get anything strange
running, you'll be able to spot it; 2) Unnecessary processes use system resources that you could probably find a use for elsewhere; 3) Virii and trojans have
to be running to be effective.
With the windows process viewer, all it tells you is the name of the process and the .exe file. With a better process viewer, it tells you where the file is
located, so you can use Windows Explorer to visit the folder and see which program the process is part of. 
It's perfectly safe to kill processes, just to see what will happen. The worst thing that will happen is that your system will lock up and you'll have to press the
'RESET' switch, after which your system will be back to normal.


2. DOS startup files: 'config.sys' and 'autoexec.bat'. These files are not really used these days, but back in the days of DOS and windows 3.XX these two
files were where you loaded all the processes that were needed to run your computer. 'Drivers', or programs that (for example) made your CD player run, or
your mouse, or any other bit of equipment you felt like attaching. You'll probably have a 'config.sys', even if there's nothing in there. You may or may not have
an 'autoexec.bat'.
These files can still be used to launch programs though, so need watching. Open notepad, and click on FILE > OPEN, than click around until you find
'config.sys' (in the root directory of your C: drive). Open the file and see what's in there. Same with 'autoexec.bat' (if you have one). It may all look a little
mysterious if you've never looked here before, but lines containing with 'device=' and 'load' or with a path like 'C:\WINDOWS\COMMAND\keyboard.sys' are
loading things, and are the ones to watch. Look out also for lines referring to .bat files. It's also worth printing out these files for reference, so you can tell if
anything has changed later. If you want to play with these files, typing 'rem ' (no quotes, and with a space) turns that particular line off. Then reboot and see
what happens. To get back to where you started, just delete the 'rem' to make the line work again and reboot.


3. The Windows Autostart Folder. Everything in here will load. 
C:\windows\start menu\programs\startup 
This Autostart Directory is saved in: 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Startup="C:\windows\start menu\programs\startup" 


4. Windows startup files. win.ini, system.ini, (and maybe wininit.ini and winstart.bat). Again, you can open these with notepad and have a look, but it is
recommended that you don't change anything unless you know what you're doing. Typing a semicolon at the start of the line will turn that line off. Some
things to watch out for in particular are:

In win.ini, right at the top:
[windows]
run=
load=
NullPort=None
device=Epson Stylus,EPVR95,LPT1:
SkipMouseRedetect=0

The lines 'run=' and 'load=' can launch programs. Worth watching. If there is something else on this line, then check it.

In system.ini, at the top:
[boot]
oemfonts.fon=vga850.fon
system.drv=system.drv
drivers=mmsystem.dll power.drv
shell=Explorer.exe
user.exe=user.exe
gdi.exe=gdi.exe
sound.drv=mmsound.drv
dibeng.drv=dibeng.dll
comm.drv=comm.drv
mouse.drv=mouse.drv
keyboard.drv=keyboard.drv
*DisplayFallback=0
fixedfon.fon=vgafix.fon
fonts.fon=vgasys.fon
386Grabber=vgafull.3gr
display.drv=pnpdrvr.drv

This what the top of your system.ini should look like. Note the 'shell=' line. If it looks like shell=Explorer.exe;anotherexecutable.exe then that's a definite
warning sign. Check it.

c:\windows\winstart.bat
Behaves like an usual BAT file. Used for copying deleting specific files. Autostarts every time

c:\windows\wininit.ini
Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example: (content of wininit.ini)
[Rename]
NUL=c:\windows\picture.exe
This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This requires no interactivity with the user and runs totally stealth


5. The Windows registry. The registry is a database of all the settings for Windows 9x. It is contained in two hidden files in your Windows directory, called
USER.DAT and SYSTEM.DAT. To backup your registry, just copy these files to a floppy disk. To view and edit your registry, just click on START > RUN and
type regedit in the box. It is not recommended that you play with the registry unless you have 1) a boot disk 2) the registry backed up and 3) the expertise to
copy the registry files back from your floppy disk to windows using only DOS. Otherwise, you'll have to learn about other things, like FDISK and FORMAT.
The registry keys below are the ones to watch in particular: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx


6. Registry Shell Spawning
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" 

The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is
executed. Known as the "Unknown Starting Method" and is currently used by Subseven.


7. .hta files. Files ending in .hta are a sort of executable web page, and some virii and trojans use them to launch various indignities on your system. These
files should be treated with the utmost suspicion. If you suspect an invasion on your system, it's well worth doing START > FIND > FILES OR FOLDERS >
and type *.hta in the box. Actually, it's worth looking anyway.


8. .vbs files. Visual basic scripts. These have become quite popular as virii, and it's worth noting how many of these are on your system, and their location.
Do a FIND as above, and type *.vbs in the box. If you don't use vbs, and don't run any programs that do, it might be worth your while turning the 'Windows
Scripting Host' off, which allows the automatic running of .vbs scripts. There's instructions (for various operating systems) at http://www.sophos.com. And you
can always turn it back on again, if you need it in the future.


9. .shs files. Shell scraps. These are little executables that are hidden by default in Windows. To make them visible, you have to find the registry key:
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object" "NeverShowExt"=""
and delete the "NeverShowExt"="" key. This will enable you to see/scan etc these files.


10. Files that you ought to have your virus scanner look at:
386, ADT, BIN, CBT, CLA, CMD, COM, CPL, DEV, DLL, DOC, DOT, DRV, EXE, HTM, HTT, JS, MDB, MPP, MPT, MSO, ODB, OBT, OLE, OV?, POT, PPT, RTF, SCR, SHS, SYS, VBS, XL, MD?, VXD, XPT,


NOT PART OF THE 'USUAL SUSPECTS' BUT YOU OUGHT TO KNOW ABOUT...

11. Programs that use the startup of individual programs, and not windows. The 'BubbleBoy' virus, for example, uses a .hta file to inveigle itself into the
startup of Outlook, not the Windows startup. Obviously it's impractical to routinely monitor the start-up of every program. But it's best to be aware that
programs can be interfered with. IMHO, after Windows, the next two most obvious targets are Outlook (and outlook Express) and Internet Explorer.

12. Boot-sector virii. These are the nasty ones. They lurk on the boot sector of your hard disk and start before Windows does. There probably is a way of
checking your boot sector manually using freeware, but I haven't found it yet. If your viruschecker finds a boot-sector virus and can't remove it, you can
sometimes remove it in Windows 9.x by booting up with a clean floppy, and typing FDISK /MBR. Back up your data before this if you can because when an
FDISK operation goes wrong it REALLY goes wrong. This won't work in NT.

13. Others. There is always someone coming up with new ways to mess you up. Plan for it.


If you keep an eye on, and familiarise yourself with, the above parts of your computer, then you will be much less susceptible to a virus or trojan attack. If you
get a virus, then it will probably be launched from one of the places above, and you can stop it manually without having to refer to a viruschecker. Even if you
have a virus/trojan scanner on your system, there's no guarantee that it can spot every invader.


NOTES:
======

PrcView, the process viewer mentioned here is an old Windows program, and doesn't shut down properly. Ironically enough, you have to use the Windows
[CTRL][ALT][DELETE] process viewer and shut down the 'winoldapp' process.
MSConfig. With Win98+ systems, there is a utility to quickly view your startup files. START > RUN > and type msconfig; this will allow you to see what is
happening with most of the 'usual suspects' in an easy-to-use app. This file doesn't come as part of Windows 95, but will work if you download the file, and
copy it to the c:\windows\system directory.
Sysedit. Similar to MSConfig, but not as good. START > RUN > and type sysedit.

CREDITS:
========

Thanks for contributions from romerale, FlyingRaichu and RigiDigit.

If you have anything to add, or find any errors, please email me.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH