The Usual Suspects CONTENTS: Processes DOS startup files Windows autostart folder Windows startup files Windows registry Registry shell spawning .hta files .vbs files .shs files Executables that are worth scanning Individual program startup files Boot sector Others Notes Credits Trojans and virii have one thing in common. They mostly want to start when your computer does, to keep you infected as long as possible. In Windows, there are only a few places where programs can start up automatically, and it is in these places the virus/trojan has to put in an appearance if it is going to start up when windows does. Usually. This bottleneck helps you, the user, when you have a virus or trojan, and it is worth familiarising yourself with the following just in case you get a new virus, or one that your viruschecker can't see. We're going to get a little bit technical, but nothing too difficult. 1. The programs that are running in the background, or 'processes'. When you start your computer, before you open any other programs, there are a few programs (or lots, depending on your system) already running. There is a built-in process viewer in Windows (press the [CTRL][ALT]+[DEL] keys down once(!)....the '3-finger salute') that will show some of the processes that are currently running. To get a complete list, you'll need a process-viewer program (PrcView is a freeware example that works well). It's worth knowing what's running on your computer for several reasons: 1) If you get anything strange running, you'll be able to spot it; 2) Unnecessary processes use system resources that you could probably find a use for elsewhere; 3) Virii and trojans have to be running to be effective. With the windows process viewer, all it tells you is the name of the process and the .exe file. With a better process viewer, it tells you where the file is located, so you can use Windows Explorer to visit the folder and see which program the process is part of. It's perfectly safe to kill processes, just to see what will happen. The worst thing that will happen is that your system will lock up and you'll have to press the 'RESET' switch, after which your system will be back to normal. 2. DOS startup files: 'config.sys' and 'autoexec.bat'. These files are not really used these days, but back in the days of DOS and windows 3.XX these two files were where you loaded all the processes that were needed to run your computer. 'Drivers', or programs that (for example) made your CD player run, or your mouse, or any other bit of equipment you felt like attaching. You'll probably have a 'config.sys', even if there's nothing in there. You may or may not have an 'autoexec.bat'. These files can still be used to launch programs though, so need watching. Open notepad, and click on FILE > OPEN, than click around until you find 'config.sys' (in the root directory of your C: drive). Open the file and see what's in there. Same with 'autoexec.bat' (if you have one). It may all look a little mysterious if you've never looked here before, but lines containing with 'device=' and 'load' or with a path like 'C:\WINDOWS\COMMAND\keyboard.sys' are loading things, and are the ones to watch. Look out also for lines referring to .bat files. It's also worth printing out these files for reference, so you can tell if anything has changed later. If you want to play with these files, typing 'rem ' (no quotes, and with a space) turns that particular line off. Then reboot and see what happens. To get back to where you started, just delete the 'rem' to make the line work again and reboot. 3. The Windows Autostart Folder. Everything in here will load. C:\windows\start menu\programs\startup This Autostart Directory is saved in: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Startup="C:\windows\start menu\programs\startup" 4. Windows startup files. win.ini, system.ini, (and maybe wininit.ini and winstart.bat). Again, you can open these with notepad and have a look, but it is recommended that you don't change anything unless you know what you're doing. Typing a semicolon at the start of the line will turn that line off. Some things to watch out for in particular are: In win.ini, right at the top: [windows] run= load= NullPort=None device=Epson Stylus,EPVR95,LPT1: SkipMouseRedetect=0 The lines 'run=' and 'load=' can launch programs. Worth watching. If there is something else on this line, then check it. In system.ini, at the top: [boot] oemfonts.fon=vga850.fon system.drv=system.drv drivers=mmsystem.dll power.drv shell=Explorer.exe user.exe=user.exe gdi.exe=gdi.exe sound.drv=mmsound.drv dibeng.drv=dibeng.dll comm.drv=comm.drv mouse.drv=mouse.drv keyboard.drv=keyboard.drv *DisplayFallback=0 fixedfon.fon=vgafix.fon fonts.fon=vgasys.fon 386Grabber=vgafull.3gr display.drv=pnpdrvr.drv This what the top of your system.ini should look like. Note the 'shell=' line. If it looks like shell=Explorer.exe;anotherexecutable.exe then that's a definite warning sign. Check it. c:\windows\winstart.bat Behaves like an usual BAT file. Used for copying deleting specific files. Autostarts every time c:\windows\wininit.ini Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows Example: (content of wininit.ini) [Rename] NUL=c:\windows\picture.exe This example sends c:\windows\picture.exe to NUL, which means that it is deleted. This requires no interactivity with the user and runs totally stealth 5. The Windows registry. The registry is a database of all the settings for Windows 9x. It is contained in two hidden files in your Windows directory, called USER.DAT and SYSTEM.DAT. To backup your registry, just copy these files to a floppy disk. To view and edit your registry, just click on START > RUN and type regedit in the box. It is not recommended that you play with the registry unless you have 1) a boot disk 2) the registry backed up and 3) the expertise to copy the registry files back from your floppy disk to windows using only DOS. Otherwise, you'll have to learn about other things, like FDISK and FORMAT. The registry keys below are the ones to watch in particular: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx 6. Registry Shell Spawning [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed. Known as the "Unknown Starting Method" and is currently used by Subseven. 7. .hta files. Files ending in .hta are a sort of executable web page, and some virii and trojans use them to launch various indignities on your system. These files should be treated with the utmost suspicion. If you suspect an invasion on your system, it's well worth doing START > FIND > FILES OR FOLDERS > and type *.hta in the box. Actually, it's worth looking anyway. 8. .vbs files. Visual basic scripts. These have become quite popular as virii, and it's worth noting how many of these are on your system, and their location. Do a FIND as above, and type *.vbs in the box. If you don't use vbs, and don't run any programs that do, it might be worth your while turning the 'Windows Scripting Host' off, which allows the automatic running of .vbs scripts. There's instructions (for various operating systems) at http://www.sophos.com. And you can always turn it back on again, if you need it in the future. 9. .shs files. Shell scraps. These are little executables that are hidden by default in Windows. To make them visible, you have to find the registry key: [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object" "NeverShowExt"="" and delete the "NeverShowExt"="" key. This will enable you to see/scan etc these files. 10. Files that you ought to have your virus scanner look at: 386, ADT, BIN, CBT, CLA, CMD, COM, CPL, DEV, DLL, DOC, DOT, DRV, EXE, HTM, HTT, JS, MDB, MPP, MPT, MSO, ODB, OBT, OLE, OV?, POT, PPT, RTF, SCR, SHS, SYS, VBS, XL, MD?, VXD, XPT, NOT PART OF THE 'USUAL SUSPECTS' BUT YOU OUGHT TO KNOW ABOUT... 11. Programs that use the startup of individual programs, and not windows. The 'BubbleBoy' virus, for example, uses a .hta file to inveigle itself into the startup of Outlook, not the Windows startup. Obviously it's impractical to routinely monitor the start-up of every program. But it's best to be aware that programs can be interfered with. IMHO, after Windows, the next two most obvious targets are Outlook (and outlook Express) and Internet Explorer. 12. Boot-sector virii. These are the nasty ones. They lurk on the boot sector of your hard disk and start before Windows does. There probably is a way of checking your boot sector manually using freeware, but I haven't found it yet. If your viruschecker finds a boot-sector virus and can't remove it, you can sometimes remove it in Windows 9.x by booting up with a clean floppy, and typing FDISK /MBR. Back up your data before this if you can because when an FDISK operation goes wrong it REALLY goes wrong. This won't work in NT. 13. Others. There is always someone coming up with new ways to mess you up. Plan for it. If you keep an eye on, and familiarise yourself with, the above parts of your computer, then you will be much less susceptible to a virus or trojan attack. If you get a virus, then it will probably be launched from one of the places above, and you can stop it manually without having to refer to a viruschecker. Even if you have a virus/trojan scanner on your system, there's no guarantee that it can spot every invader. NOTES: ====== PrcView, the process viewer mentioned here is an old Windows program, and doesn't shut down properly. Ironically enough, you have to use the Windows [CTRL][ALT][DELETE] process viewer and shut down the 'winoldapp' process. MSConfig. With Win98+ systems, there is a utility to quickly view your startup files. START > RUN > and type msconfig; this will allow you to see what is happening with most of the 'usual suspects' in an easy-to-use app. This file doesn't come as part of Windows 95, but will work if you download the file, and copy it to the c:\windows\system directory. Sysedit. Similar to MSConfig, but not as good. START > RUN > and type sysedit. CREDITS: ======== Thanks for contributions from romerale, FlyingRaichu and RigiDigit. If you have anything to add, or find any errors, please email me.