Known and Unknown startup methods in Windows

Posted: February 3, 2014 in Malware

1. Autostart folder
   Everything in here will restart.
   C:\windows\start menu\programs\startup {english}
   C:\windows\Menu Démarrer\Programmes\Démarrage {french}
   This Autostart Directory is saved in    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
   Folders Startup=”C:\windows\start menu\programs\startup”
   ‘So it could be easily changed by any program.

2. Win.ini
   [windows]
   load=file.exe
   run=file.exe

3. System.ini [boot]
   Shell=Explorer.exe file.exe

4. c:\windows\winstart.bat
   ‘Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts
    everytime

5. Registry
   [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
   [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
   [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
   [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

6. c:\windows\wininit.ini
   ‘Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by     windows
    Example: (content of wininit.ini)
    [Rename]
    NUL=c:\windows\picture.exe
    ‘This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This
    requires no interactivity with the user and runs totaly stealth.

7. Autoexec.bat
   Starts everytime at Dos Level.
                                                             
8. Registry Shell Spawning
   [HKEY_CLASSES_ROOT\exefile\shell\open\command] @=”\”%1\” %*”
   [HKEY_CLASSES_ROOT\comfile\shell\open\command] @=”\”%1\” %*”
   [HKEY_CLASSES_ROOT\batfile\shell\open\command] @=”\”%1\” %*”
   [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @=”\”%1\” %*”
   [HKEY_CLASSES_ROOT\piffile\shell\open\command] @=”\”%1\” %*”
   [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @=”\”%1\” %*”
   [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @=”\”%1\” %*”
   [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @=”\”%1\” %*”
   [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @=”\”%1\” %*”
   [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @=”\”%1\” %*”
    
   The key should have a value of Value “%1 %*”, if this is changed to “server.exe %1 %*”,
   the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.
   Known as Unkown Starting Method and is currently used by Subseven.

 9. Icq Inet
   [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
   “Path”=”test.exe”
   “Startup”=”c:\\test”
   “Parameters”=””
   “Enable”=”Yes”

   [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\
   This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

9. Misc Information
   [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap]
   @=”Scrap object” “NeverShowExt”=””
                                                             
   The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.
   This means if you rename a file as “Girl.jpg.shs” it displays as “Girl.jpg” in all programs
   including Explorer.
   Your registry should be full of NeverShowExt keys, simply delte the key to get the real
   extension to show up.

Comments
  1. Tony says:

    Information clearly regarded.!

Leave a Reply