Most of computer users are keen to know the autorun features, or unknown viruses that enter to their systems without letting them know.
Most viruses are carried by the innocent users through their Pen Drives (Chips drive).
The drive when inserted calls its autorun.inf file, most of the times (hidden, system and readonly) file in its location.
Windows Vista has protected the feature, and let's user know whether they like to install the called up program (most likely virus) but XP doesn't.
Just after inserting your drive to USB or etc cables, you can know if it contains autorun.inf hiding.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer"NoDriveTypeAutoRun" and set it's value to 0 or 91 etc.
See ref. http://autorun.moonvalley.com/enable.htm
The autorun files contains commands like
[autorun]
open=filename.exe /argument1
icon=\foldername\filename.dll,5
shell\install = &Install
shell\install\command = setup.exe
shell\uninstall = &UnInstall
shell\uninstall\command = Uninstall.exe
shell\readme = &Read Me
shell\readme\command = notepad readme.txt
shell\help = &Help
shell\help\command = helpfilename.hlp
here .exe are viruses (name changed) But not always, you can code your program so that novice users can get them installed on their system too.
Now most probably it could locate somecodes in Autorun spaces with scripts languages too,
like
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue","0","REG_DWORD"
code is placed in VBS scripting file sothat hidden files are not shown in explorer
(note the virus can stay unknown in hidden)
These are the entries in Registry for most Autorun placement
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Similarly some place their file feature in Userinit Entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
With value like
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\kill_antivirus.vbs
here kill_antivirus.vbs is a virus script that runs with wscript.exe (note wscript.exe is a windows scripting file)
Just left it
C:\WINDOWS\system32\userinit.exe by modifying data. (be careful, if you delete it too, your system couldnot login next time)
Note, you now know the script file, note it and open it with notepad, before deleting .
Now you can see all the script there, the files created by it, and changed etc...
Next note Shell in the same location.
It should refer to Explorer.exe only But check my next post, Explorer.exe can be a virus too.
Don't delete it, if it has windows signature, (:() else you need next Explorer.exe from original source.
See you again, if something new found.
Good luck
Sunday, July 27, 2008
Subscribe to:
Posts (Atom)