- How many kinds of hidden startup methods do you know?
- Do you just rely upon 'Run' and 'Run once' value in the registry?
- Or do you look for Startup folder in the Start Menu?
Yes, most of the windows users feel that by guarding the startup folder and Run value in the registry, spywares and trojans can be controlled.
An advanced user may even search in the services list to see if any suspicious service is running.
A time comes when a virus like ravmon hits the computer and no matter where you see, you don't wherefrom that culprit runs from.
Well, nowadays, newer viruses use other registry places as hidden startup methods. In the HKLM\Software\microsoft\windowsNT\Winlogon, they tend to use two keys, viz., 'shell' and 'userinit'. By adding own executables with a comma seperation in the userinit key, the virus runs again and again. Also the default value for 'shell' is explorer.exe. Viruses often modify them as 'explorer.exe virus.exe'.
This is so effective for common users that they have no choice but to backup important files and format the hard drive.
Sometimes, these little tips helps a lot to avoid a lot of time lost in formatting.
That is just a simple method for startup. Even complex startup methods include hiding itself from the registry by hooking registry handling APIs. They even hide themselves from process list and services list by hooking the respective APIs. Identifying them is not easy though. You have to be pretty sharp. I will cover this topic in detail on my next post. Bye till then.
