[kbnet]

Here is an example of a registry key which is set by Rbots.

HKCU\Software\Microsoft\OLE\Microsoft Update 32 = "<filename>"

Now this is not one of the common registry runkeys, so when does the file actually get executed?

[iam]

kbnet, on Aug 1 2005, 03:58 PM, said:

Here is an example of a registry key which is set by Rbots.

HKCU\Software\Microsoft\OLE\Microsoft Update 32  =  "<filename>"

Now this is not one of the common registry runkeys, so when does the file actually get executed?

<{POST_SNAPBACK}>

At a complete guess, when you run Windows Update or perhaps when Auto Updates go to work? :huh:

[kbnet]

HKCU\Software\Microsoft\OLE\<any string value>\<data>

Its not specific to windows update, i just meant that as an example. That is just a generated string value. Cheers tho.

[iam]

kbnet, on Aug 1 2005, 04:11 PM, said:

HKCU\Software\Microsoft\OLE\<any string value>\<data>

Its not specific to windows update. That is just a generated string value. Cheers tho.

<{POST_SNAPBACK}>

:blush:

So do you know yourself?

I could hazard at another guess, but I think I'll leave it for somebody who actually knows :lol:

[kbnet]

Quote

So do you know yourself?

If i knew i wudnt b asking. Is any1 able to tell me for sure? Google aint much help with this one.

[kbnet]

Ok, heres some more details:

http://msdn.microsof...0a490390426.asp

As can be seen there are default named values. But it doesnt mention anything about putting in your own keys and getting files to execute. Has this key be used incorrectly
by the author of the Rbot in belief that it actually executes?

[cowsonfire]

that key was in rbot to disable dcom (the EnableDCOM setting) as part of the secure function, some idiot that got ahold of the bot probably didnt know what he was doing and thought it was another autostart key

[kbnet]

Yeah, ive been looking for info for a bit now and I cant see any reason why someone would set a key like it. I just found it strange because it has also set the "EnableDCOM" to 'N'. Like u say tho, it probably is someone who hasnt got a clue what they are doing, certainly makes the most sense as i cant find any other answer to why this would be done unless it was to be used as an infection marker (again would be a strange thing to do tho as it would not be very subtle but its a possibility).
Cheers.

[myth]

I'll throw down a assumption that it's just a key for the bot (and perhaps other bots of the same compile time) to reference...

Ie, it probably couldnt create the reg key where people normally put it ....\Software\RBot Creator\RBot Keys\.... As most legit companies would put them...

Its probably just a quick reference, but i'll have a look at the rbot source later tonight - gotta work soon, so send me a message to remind me, or i'll just see this post again and go look.

[AdmiralB]

maybe its just to prevent you to find keys ....maybe the rest are too common?