All Known & (so called) Unknown Autostart Methods

--------------------------------------------------------------------------------

In the following pages you'll see that this article contains most, (I guess it 
has all) autostart methods that Windows is using everytime you reboot. The aim 
of this article is actually giving out the Autostart Methods so that you can 
find out a bit by yourself how the trojans are working after you run them and 
also for to let you find the unknown ones. Because as you all know after running 
a scan on our system with a known Antivirus, we can detect most of the known 
virii/trojans/bots/etc with them. But as i said before, the aim for this article 
is to detect the unknown trojans by manually. I guess that's enough, i'm bored 
too ..here we go guys ..enjoy :)

So whatever you do, do it at your own risk. I've explained everything in detail 
so everything is clear. If you do something wrong, that is your problem.



--------------------------------------------------------------------------------

Startup Methods

%windir%\Start Menu\Programs\StartUp {English}
%windir%\All Users\Start Menu\Programs\StartUp {English}
%windir%\Menu Démarrer\Programmes\Démarrage {French}
%windir%\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

Any file in Start Up directory copied or linked, will start when Windows is 
booted.So deleteing unknown/suspicious files from that location will be a good idea. 

This Autostart Directory is saved in : 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="%windir%\Start menu\programs\startup"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="%windir%\Start menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="%windir%\Start menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="%windir%\Start menu\programs\startup"

By setting it to anything other then C:\windows\start menu\programs\startup will 
lead to execution of ALL and EVERY executable inside set directory.
Addendum : as of 10/03/2001 Subseven 2.2 now uses this method. 


The Shell=Explorer.exe line in %windir%\system.ini 
Another way to start a file is use the shell method. The file name following 
explorer.exe will start whenever Windows starts. It can be anything next to the 
shell=Explorer.exe so be sure that there is no other things by that.

The load= line in %windir%\win.ini Under the [windows] section. 
That's a well known but also an unknown autostart method that trojan authors using 
for years. You need to be sure that the 'load=' line in '%windir%\win.ini' (without 
the quotes) has no other file names next to it. Such as 'load= pic.exe', if you see 
a file name next to the load= you'd better delete it. File names can be hidden by 
placing them to the far right of one of these lines. Some AOL password capture 
parograms do that.

The run= line in %windir%\win.ini Under the [windows] section. 
Well, that's same with 'load='. So if you see anthing in here to, delete it.*

* In some cases the file next to the 'load=' and the 'run=' lines, could be placed 
there by any program that you use, or that could be a driver file of your hardware,
 but that's rare.

The following keys are the most common start up methods for Windows OS's such as :

Microsoft Windows 98 / SE 
Microsoft Windows 2000 Professional 
Microsoft Windows 2000 Server 
Microsoft Windows 2000 Advanced Server 
Microsoft Windows Millennium Edition 
Microsoft Windows XP 

DISCLAIMER
Modifying the registry can cause serious problems that may require you to reinstall 
your operating system. We cannot guarantee that problems resulting from 
modifications to the registry can be solved. Use the information provided at 
your own risk.


As a detail, the file name you see in the Right Pane like, 
"whatever"="C:\Windows\Zip.exe", will run each time your windows reboots. 
That's an old trick too which trojan authors used for years but it is still 
in use by most trojans around.So you need to be sure that you know every string 
and what it is in the Right Panel. 

What Is The Registry ?

The Registry is a hierarchical database within later versions of Windows (95/98/NT4/NT5) 
where all the system settings are stored. It has replaced all of the .ini files 
that were present in Windows 3.x. The data from system.ini, win.ini, control.ini, 
are all contained within it now, along with hundreds of other system settings. 
Additionally, all Windows specific programs are now to store their initialization 
data within the Registry instead of in .ini files in your Windows folder.


About The Registry Editor.. 

The Registry cannot be viewed or edited with a normal editor - you must use 
a program included with Windows called RegEdit (Registry Editor) for Windows 
95 & 98 or RegEdit32 for Windows NT 4 & 5. This program isn't listed on your
 Start Menu and it is well hidden in your Windows directory. To run this 
program, just click on Start, Run, and type regedit (for Win 9x) or regedit32 
(for Win NT) in the input field. This will start the Registry Editor. 
You can add this to the Start Menu or to the desktop for easier editing.

Registry Subtree


MY COMPUTER

HKEY_CLASSES_ROOT: Contains software settings about drag-and-drop operations, 
handles shortcut information, and other user interface information. There is 
a subkey here for every file association that has been defined.

HKEY_CURRENT_USER: Contains information regarding the currently logged-on user. 
AppEvents: Settings for assigned sounds to play for system and applications sound events. 
Control Panel: Control Panel settings, similar to those defined in System.ini, Win.ini and Control.ini in Windows 3.xx. 
InstallLocationsMRU: Contains the paths for the Startup folder programs. 
Keyboard layout: Specifies current keyboard layout. 
Network: Network connection information. 
RemoteAccess: Current log-on location information, if using Dial-Up Networking. 
Software: Software configuration settings for the currently logged-on user.

HKEY_LOCAL_MACHINE: Contains information about the hardware and software settings 
that are generic to all users of this particular computer. 

Config: Configuration information/settings. 
Enum: Hardware device information/settings. 
Hardware: Serial communication port(s) information/settings. 
Network: Information about network(s) the user is currently logged on to. 
Security: Network security settings. 
Software: Software specific information/settings. 
System: System startup and device driver information and operating system settings.

HKEY_USERS: Contains information about desktop and user settings for each user that 
logs on to the same Windows 95 system. Each user will have a subkey under this 
heading. If there is only one user, the subkey is ".default".

HKEY_CURRENT_CONFIG: Contains information about the current hardware configuration, 
pointing to HKEY_LOCAL_MACHINE.

HKEY_DYN_DATA: Contains dynamic information about the plug-and-play devices 
installed on the system. The data here changes if devices are added or removed 
on-the-fly. 

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
"Blah Blah"="The_Location_Of_The_Trojan"

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnce
"Blah Blah"="The_Location_Of_The_Trojan"

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
"Blah Blah"="The_Location_Of_The_Trojan"

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunServices
"Blah Blah"="The_Location_Of_The_Trojan"

Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
"Blah Blah"="The_Location_Of_The_Trojan"

Hkey_Local_Machine\Software\\Microsoft\Windows\CurrentVersion\RunOnceEx\000x "RunMyApp"="||notepad.exe"
The format is: "DllFileName|FunctionName|CommandLineArguements" -or- "||command parameters"

Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
"Blah Blah"="The_Location_Of_The_Trojan"

Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\RunOnce
"Blah Blah"="The_Location_Of_The_Trojan"

Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\RunServies
"Blah Blah"="The_Location_Of_The_Trojan"

Subkeys (Static VxDs) under Hkey_Local_Machine\System\CurrentControlSet\Services\VxD\


The [386enh] section of %windir%\system.ini (this includes the scrnsave.exe= line 
in system.ini which can be used to run things on your system. 

The [boot] section of %windir%\system.ini (this includes the scrnsave.exe= line 
in system.ini which can be used to run things on your system 

The IOSUBSYS folder (drivers load automatically)
That's easy huh ? That means anything in that folder will run in each time ur 
windows reboots.

The VMM32 folder (drivers that take precedence over those built into vmm32.vxd)

config.sys

autoexec.bat
Starts everytime at Dos Level.

winstart.bat
Note behaves like an usual BAT file. Used for copying/deleting specific files. 
Autostarts everytime you reboot. 

wininit.ini 
* Bonus item - files can be [runonce,] deleted or renamed from the wininit.ini file.

'Often Used by Setup-Programs when the file exists it is run ONCE and then is 
deleted by windows 

Example content of wininit.ini :

[Rename]
NUL=%windir%picture.exe

'This example sends c:\windows\picture.exe to NUL, which means that it is being 
deleted. This requires no interactivity with the user and runs totaly stealth.


[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.exe is executed.


[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" 
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.com is executed.

[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.bat is executed.

[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_CLASSES_ROOT\htafile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.hta is executed.


[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" 
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.pif is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.bat is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" 
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.com is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" 
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.exe is executed.


[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.hta is executed.

[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" 
The key should have a value of Value "%1 %*".
Backdoor example:
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"trojan.exe %1\" %*"

With such registry entries, the trojan.exe is executed each time an *.pif is executed.


[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection. 

The following two are used by Sub7 2.2
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName stubPath=C:\PathToFile\Filename.exe 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User shell folders
This does start filename.exe BEFORE the shell and any other Program normaly started over the Run Keys.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object" "NeverShowExt"="" 
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. 
This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all 
programs including Explorer.

Your registry should be full of NeverShowExt keys, simply delete the key to get the 
real extension to show up.

Explorer Autostarts : 
Windows 95,98,ME
Explorer.exe ist started through a system.ini entry, the entry itself contains no 
path information so if c:\explorer.exe exist it will be started instead of 
%windir%\explorer.exe.

Windows NT/2000
The Windows Shell is the familiar desktop that's used for interacting with 
Windows. During system startup, Windows NT 4.0 and Windows 2000 consult the 
"Shell" registry entry, 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, 
to determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe. 

The problem has to do with the search order that occurs when system startup is 
in process. Whenever a registry entry specifies the name of a code module, but 
does it using a relative path, Windows initiates a search process to find the 
code. The search order is as follows: 

* Search the current directory. 

* If the code isn't found, search the directories specified in 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path, 
in the order in which they are specified. The default settings for 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path 
and HKEY_CURRENT_USER\Environment\Path are "%SystemRoot%\System32;%SystemRoot %" and 
null, respectively. Because the current directory during system startup is 
%SystemDrive%\, the resulting search path would be:

1. %SystemDrive%\ (e.g., C:\) 
2. %SystemRoot%\System32 (e.g., C:\WINNT\System32) 
3. %SystemRoot% (e.g., C:\WINNT) 

The vulnerability results because the default permissions on %SystemDrive%\ allow all 
interactive users to write to it. Thus, on a machine that boots from the C: drive, if 
a malicious user placed a bogus Explorer.exe into C:\, the search order would cause 
it, rather than the bona fide Explorer.exe, to be loaded and executed each time a user 
on the machine logged on.


General : 
If a trojan installs itself as c:\explorer no run keys or other start-up entries are 
needed. If c:\explorer.exe is a corrupted file the user will be locked out of the 
system. Affects all windows version as of today.