Common loading points for viruses, worms, and Trojan horse programs on Windows 98/95/3.1x

Article:TECH98547  |  Created: 1999-01-24  |  Updated: 2007-01-20  |  Article URL http://www.symantec.com/docs/TECH98547
Article Type
Technical Solution


Environment

Issue



You suspect that you have a virus, worm or Trojan horse program loading every time Windows starts, but you cannot determine from where it is loading. You would like some tips for tracking down the loading point of the virus, worm, or Trojan horse.


Solution



For information about specific viruses, Trojans and worms, read the Symantec Security Response Virus Encyclopedia.

Many viruses, worms, and Trojans load at startup and a few actually write back to these startup points during shut down, such as BUDDYLIST.EXE. The following items are the most common loading points for viruses, worms, and Trojans.

System files
You can open system files using the System Editor. To start the System Editor, click Start, and then click Run. Type sysedit then click OK.

Autoexec.bat
Programs can load from anywhere in this file. Be especially suspicious of files that name themselves similar to legitimate DOS or Windows file names. For example, Command.bat and Explore.exe. The Autoexec.bat file is not commonly used to load viruses, worms, and Trojans.

Win.ini
[windows]
load=
run=

Programs loading from the WIN.INI file will generally be loaded from the LOAD= or RUN= lines in the [WINDOWS] section. Beware of files that load from here but are off at the end of the line. The line may be very long and can scroll off the right edge of the screen. Be on the lookout for scroll bars at the bottom of the window. This indicates that there is something off the edge of the field of view. Scroll to the right and make sure there is nothing there.

System.ini
[boot]
shell=explorer.exe

On the shell= line in the [boot] section of the System.ini file there can be up to two entries. Therefore, it is possible to throw a second executable file on this line and have it load up with the shell. Other things to look for here are a scroll bar on the bottom (implying that there is more text off to the right that you are not able to see) and a second executable name, such as Trojan.exe.

Winstart.bat
Programs can be loaded at any location in this file. On startup, the system will look through the entire path for the Winstart.bat file. If it exists, it will be run just like any other batch file.


Note: This file does not exist on all systems and very often there will not be one.


StartUp folder
This folder resides under the "\Windows\Start Menu\Programs" folder. To access this folder, right-click the Start button, click Open, and then double-click the Programs folder. Here you will find the StartUp folder. Anything in this folder automatically runs when Windows starts after user logon.

Registry


WARNING: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please request the document titled How to Back Up the Windows 95/98/NT Registry before proceeding.

There are several places that files can load from the registry. Some of the most common ones are listed here:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunservicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrenVersion\RunServicesOnce

These keys are all used by legitimate applications, but they may also hold values designed to load viruses, worms, and Trojan horse programs. Be sure that you do not delete any legitimate keys and always make a backup so that you can restore them afterwards, if necessary.

Browser Helper Object (BHO)
Looking for suspicious entries that may have been added as a BHO is much more complex than looking at the values of the keys shown above, as most BHOs are legitimate. Also, this requires you to look at two different areas in the registry.
  1. Go to:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  2. Directly under that key, in the left pane, look for any CLSID subkeys.

    They will look similar to this example:

    {06949E9F-C8D7-4D59-B87D-797B7D6BE0B3}

  3. Write down each of the strings that you find (or copy and paste it into Notepad.)

  4. Browse to and expand the subkey:

    HKEY_CLASSES_ROOT\CLSID\

    where is what you wrote down in step 3.
  5. Under the expanded subkey, select the InProcServer32 key.
  6. In the right pane, in the Name and Data columns--including the (Default) value--look for any file name that look suspicious.
  7. Search either the hard drive or the Web—or both—to either confirm or deny these suspicions. Only if you can confirm that the file name is linked to a malevolent file should you delete the value.

Other things to check


Note: The following types of files all have their place within the Windows environment and they should not be seen as completely suspect. Many files of the named types can be helpful to the user, but they can also be used for malicious ends. It is not recommended that these types of files be deleted unless you know exactly what they are being used for.

Wininit.ini
This file is run by the Wininit.exe file during the Windows boot process and can rename files before they are loaded by Windows (including useful .dll and .exe files which can then be replaced with bad versions of the same).

.shs files
These files are Windows "scrap" files and are actually OLE files that can hold anything, including executable code, although most people do not know about them.

.bat files
These are batch (script) files and can even be called from other batch files. These can easily be altered to fit many malicious purposes.


References
For information on common loading points with Windows NT, Windows 2000 or Windows XP, read Symantec Knowledge Base article, Common loading points for viruses, worms, and Trojan horse programs on Windows NT/2000/XP.






Legacy ID



1999052415383948


Article URL http://www.symantec.com/docs/TECH98547


Terms of use for this information are found in Legal Notices