I was working on a spreadsheet containing information about Registry AutoStart locations last night and ran across something pretty interesting that I thought I'd pass along...
One of the AutoStart locations used by malware is:
HKLM\Software\Classes\exefile\shell\open\command\
On a live system, this also maps to the HKEY_CLASSES_ROOT hive...
HKCR\exefile\shell\open\command
This entry specifies the command to be launched when an exefile (a file ending with the .exe extension) is run. The Default value for this key is "%1" %*. Some malware writes to this entry, ensuring that the malware is launched whenever an executable is run.
*Note: This same sort of thing applies to other types of executable files, such as cmdfile, comfile, scrfile, piffile, and batfile.
So I wanted to see what else could be done via these sorts of keys, so I navigated to:
HKCR\Drive\shell\cmd\command
I right-clicked on the Default value and chose Modify. The default entry is cmd.exe /k "cd %L", and I added && notepad.exe to the command, and clicked "OK". I then opened My Computer, right-clicked on the C:\ drive, and chose "Open Command Prompt here..." from the context menu. A command prompt AND Notepad opened!
So this adds yet another entry to one of the three classes of AutoStart locations (ie, System boot, User login, User activity). I haven't seen anything on the Internet (yet) about locations like this being used by malware or malicious users, but it does go to show what could be done.
7 comments:
Interesting info.
I'm using a perl script I wrote which lists startup
reg entries :
@LMKEY = ( "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" ,
"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" ,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" ,
"SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts" );
$lmskey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad" ;
@CUKEY = ( "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" ,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" ,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" ,
"SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts");
@UKEY = ( ".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" );
and startup folders items in a html report.
Of course I'll add these keys.
What other keys sould I add ?
Have a nice day !
P.S. The script is not on the web now, but if anybody is interested
lepetitalbert@gmail.com
Spencer,
For probably the most comprehensive list of autostart locations available online today, go to SysInternals.com and check out AutoRuns.
I'm adding to a spreadsheet that I put together, consolidating this information and wealth of other resources...I'm trying to verify some information, and add references for others. Once I get this completed, it's been suggested that I move if from an Excel spreadsheet into something more manageable/useful.
Thanks,
Harlan
See also Silent Runners
Thanks anonymous, cool one.
Have a nice day !
Harlan,
In the original post you say :
"so I navigated to:
HKCR\Drive\shell\cmd\command"
Do you have those keys by default or do you create them ?
I don't have them (XP and 2k).
Have a nice day.
Spencer,
I didn't see the key on my system at home, either...it was XP Home. I didn't try it on my XP Pro system.
Try this...go to HKLM\Software\Classes\Drive\shell
and see what subkeys you have; if you find '\cmd\command', then you should see a '(Default)' value with 'cmd.exe /k "cd %L"' as the data.
Harlan
I neither have that key in WXP Pro nor WXP Home, just HKCR\Drive\shell\command
In W2K I cannot find it either, the closest I get is:
anonymous
Btw, I found that adding && notepad.exe to HKLM\Software\Classes\exefile\shell\open\command\ tries to add whatever it is in notepad.exe to the registry everytime regedit is opened. Playing a bit with it I found it was easy to add/delete whatever from the registry without confirmation. It could be used to delete stored keys when someone manually tries to search for something.
Btw, there's a nice list of startup items in this site:
silentrunners
Regards
Post a Comment