Where Are Trojans Hiding In Your Systems?

Full Version: Where Are Trojans Hiding In Your Systems?

GovernmentSecurity.org > System Security > Trojan & Virus Errata

ComSec

Sep 19 2003, 10:38 PM

Where are Trojans hiding in your systems?

Author : Kyle Lai, CISSP, CISA

KLC Consulting, Inc.

klai@klcconsulting.net

www.klcconsulting.net

In any cases of virus/worm/Trojan infections, we should not automatically assume that HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key is the only place Trojans try to tamper, otherwise we would be in a false sense of security TRAP.

There are many other places on a Windows system that Trojans can add scripts and shortcuts to startup Trojan processes:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Note: For the following registry keys, the key value should be exactly "%1 %*" . Any programs that are added to the key value will get executed every time a binary file (.exe, .com) is executed, i.e."Trojan.exe %1 %*".

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

Also, check

Startup folder: to go to this folder, click on Start->Programs->Startup, and right click on Startup and select "Open" from the menu. Check every file in this folder and make sure you know what they are. These files will startup automatically every time you login to your systems.

Windows Scheduler - check if any programs are scheduled to startup at any specific time. Some Trojans use scheduler as a mean for program execution.

For Windows NT, 2000 and XP systems, use AT command to verify. Go to command prompt and type "at" and if there is any scheduled tasks, it will display "Status, ID, Day of execution, Time of execution, and Command line to be executed"

For Windows 9x/ME systems, use Windows Explorer and go to Task Scheduler, which is under My Computer.

Win.ini (load=Trojan.exe or run=Trojan.exe)

system.ini (Shell=Explorer.exe trojan.exe)

autoexec.bat - look for added Trojan files, may be in the following file extensions: .exe, .scr, .pif, .com, .bat

config.sys - look for added Trojan files

Any suspicious or new batch files (.BAT), which might call the actual Trojan.

In addition, watch out for social engineering... Social engineering? Yes. Don't be fooled by processes or programs with similar and/or exactly the same filename as the legitimate Windows system programs. Many known Trojans have included programs with exact same name as Windows system programs, but put them into different folders. Many people lower their guard when they see familiar Windows system programs, and some Trojans did successfully create deceptions and exploit this human vulnerability. If you just use the Windows Task Manager to check processes, you might be fooled if you don't examine them carefully. You might want to use some other tools for detailed examination i.e. pstools from www.systeminternals.com.

Here are some sample filename of files included in recent Trojans: (assuming Windows is installed in c:\windows or c:\winnt)

Explorer.exe - a legitimate program exists in \Windows or \Winnt folder, NOT \Windows\system32 or \Winnt\system32, or anywhere else

Rundll32.exe - a legitimate program exists in \Windows\system32 or \Winnt\system32 folder, not anywhere else

taskmngr.exe - the legitimate program is called "taskmgr.exe", not taskmngr.exe"

Let's be vigilant about the files, registries and different places that Trojan can touch.

Reference:

URL of this article is: http://www.klcconsulting.net/trojan/trojan...ntification.htm

Ocxdll.exe/mIRC Virus Analysis by KLC Consulting: http://www.klcconsulting.net/mirc_virus_analysis.htm

Deloder worm / IRC worm/Trojan Analysis by KLC Consulting: http://www.klcconsulting.net/deloder_virus...us_analysis.htm

The Complete Windows Trojans Paper By Dancho Danchev: http://www.frame4.com/

colinmack

Oct 23 2003, 02:59 PM

hi m8 i tried most things u put there and came up with nothing.....ok my prob at the min is i have the PwSteal.trojan .... i have ran virus scan it sees it but cant quarantine it or delete it it says it fixs it but the virus is still there.... when u goto manually remove it u cant coz it asks is it write-protected....

now i have tried running System Works 2003 on live-update still no joy and still i have this virus it is cracking me up at min

plz help me

coder

Oct 23 2003, 04:02 PM

here is something i posted a long time ago- i don't think trojanforge is up anymore? anyway- this list is pretty much the same as above, but does go over some techniques not explained thusfar...

QUOTE

while surfing trojanforge, i found this list of autostart methods, quite possibly a good reference for those with out an adequate AntiVirii...
quote:

Autostart folder
C:\windows\start menu\programs\startup {english}
C:\windows\Menu Démarrer\Programmes\Démarrage {french}
C:\windows\All Users\Menu Iniciar\Programas\Iniciar { Portuguese, Brasilian }

This Autostart Directory is saved in :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
By setting it to anything other then C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory.

Win.ini
[windows]
load=trojan.exe
run=trojan.exe

System.ini
[boot]
Shell=Explorer.exe trojan.exe

c:\windows\winstart.bat
Normal bat file restarting every time.

Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\RunServices]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur

rentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur

rentVersion\RunOnceEx\000x]
"RunMyApp"="||notepad.exe"
The format is: "DllFileName|FunctionName|CommandLineArguements" -or- "||command parameters"

Microsoft Windows 98 Microsoft
Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows Millennium Edition

http://support.microsoft.com/suppor...s/Q232/5/09.ASP

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr

entVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

c:\windows\wininit.ini
'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows
Example content of wininit.ini :
[Rename]
NUL=c:\windows\picture.exe

' This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totaly stealth.

Autoexec.bat
something like
c:\trojan.exe

Registry Shell open
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell

\open\command]
There should be a Key with the Value "%1 %*", if there is some kind of .exe it will be executed each time you execute a binaryfile.
"server.exe %1 %*" would be a restart of a RAT.

Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Ap

ps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Ap

ps\
This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

Explorer start-up
Windows 95,98,ME
Explorer.exe ist started through a system.ini entry, the entry itself contains no path information so if c:\explorer.exe exist it will be started instead of c:\$winpath\explorer.exe.
Windows NT/2000
The Windows Shell is the familiar desktop that's used for interacting with Windows. During system startup, Windows NT 4.0 and Windows 2000 consult the "Shell" registry entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, to determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe.

The problem has to do with the search order that occurs when system startup is in process. Whenever a registry entry specifies the name of a code module, but does it using a relative path, Windows initiates a search process to find the code. The search order is as follows:

Search the current directory.
If the code isn't found, search the directories specified in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro

l\Session Manager\Environment\Path, in the order in which they are specified.
If the code isn't found, search the directories specified in HKEY_CURRENT_USER\Environment\Path, in the order in which they are specified.
More info : http://www.microsoft.com/technet/se...in/fq00-052.asp
Patch : http://www.microsoft.com/technet/su...b.asp?ID=269049
General :
If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed. If c:\explorer.exe is a corrupted file the user will be locked out of the system. Affects all windows version as of today.

Active-X Component
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe
Believe it or not, this does start filename.exe BEFORE the shell and any other Program normaly started over the Run Keys.
Misc Information
[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object"
"NeverShowExt"=""
The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer.
Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension to show up.

http://www.trojanforge.net/showthre...s=&threadid=625
it's always nice to find out how the bad guys are doin' it, well from the bad guys

colinmack

Oct 23 2003, 11:51 PM

thanks m8 but to be honest i dont really know much about the registry keys all i know at the min is i cant get the tapiexec.dll file deleted from my computer and i need to get rid of it coz it has the trojan in it plz some simple help would be much gratefull

Faceless Master

Jan 8 2004, 05:16 PM

There is another list of http://www.tlsecurity.com
You can also get from there.

Yellow_Blue

Jan 17 2004, 07:00 AM

tnx for the information dude

jead99

Jan 17 2004, 09:29 AM

Thanks for the information, really usefull

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.