 |
|
|
|||||
| FAQ | Search | Articles | Register | Log in |
Mar 27, 2008
Where viruses like to hide on Startup?
by windshell|
Everyone has been infected at least two times. Sometimes antivirus or anti-spyware scans aren’t helpful at all. Viruses and trojans are often hiding behind some processes, that usually don’t look suspicious. Often Windows Startup is responsible for opening and starting of malicious programs together with programs vital for normal PC activity. This is little hint, what you should check on the Windows startup. First, as name says – Startup, so you have to check: Startup Folder Startup Folder is place where Windows opens every item when it’s started. So, this should be first place where you should look for suspicious files.Important thing is that files stored in Startup folder will be opened on startup. You can experiment and place specific Word document or MP3 song and they’ll be started when you turn on your machine. Same goes with malicious files. Second, Windows ‘swallow and digest’ every process that have been installed and started in Registry. Registry is often a lair of infections. So, this should be our next step. Registry Our check starts in the "Run" section of the Windows Registry where Windows executes all instructions, as well as "RunServices", "RunOnce" and "RunServicesOnce" section of the Registry.Also, Windows executes instructions in the HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE sections of the Registry. Any command embedded here will be opened when any exe file is executed. Further files you should check are located in Windows Folder: Windows Folder Batch File - because Windows executes all instructions in the Winstart batch file. The full name of this file is WINSTART.BAT. Initialization File - where Windows executes instructions in the "RUN=" and "LOAD=" line in the WIN.INI file. Windows also runs things in shell= in System.ini or c:windowssystem.ini: [boot] shell=explorer.exe C: windows filename Where the file name following explorer.exe will start whenever Windows starts. Those file names might be preceded by space on such a line, to reduce the chance that they will be seen. But, full path of the file will be included in this entry. Pay attention that: * Windows reruns programs that were running when Windows was shut down. You can prevent suspicious files from starting using “msconfig” command and un-checking all suspicious processes. * Windows executes autorun instructions in the Windows Task Scheduler which is official part of all Windows versions. * Windows loads explorer.exe located in the Windows directory during the boot process. However, if c: explorer.exe (as a malicious file) exists, it will be executed instead of the Windows explorer.exe. That means if c:explorer.exe is corrupted, the user will effectively be locked out of their system after they reboot. Unlike other autostart methods, in this case there is no need for any file or registry changes - the file just simply has to be named c: explorer.exe. These are just a few places where malicious files like to hide and from where they start their activity against PC security. Also, many of viruses and trojans have different modus operandi, i.e. their creators are aware that they cannot be hidden in one place or file forever, so they’re finding new methods and places where they’ll hide them. That is what this ‘battle’ makes so complicated. |
|
|||||
|
|
