Can someone explain these odd Registry descriptions

Hi

I'm having a little play with System Safety Monitor (again ) and I'm not sure what to make of this.

I'm having a look in the Registry module (curiosity only as this the area of my most ignorance) and in the Registry Objects list there are some keys that have descriptions that would appear to be malware/trojans according to Google.

For example:-

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot

Description - Infostealer.Coced240b

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main

Description - Backdoor.Pointex

HKCU\SOFTWARE\Microsoft\Command Processor

Description - WORM_HITON.A

This is on a what I believed to be a clean back-up

Any ideas on what any of this means. I can't even find that 2nd key in regedit.

Is it something I'm not understanding about the Registry Module in SSM

I'd rather ask here in the first instance than at SSM forum as I know I'll get an independent viewpoint.

Is it suspicious ?

Thanks in advance.

 

I do have this key on my win2k computer:
HKCU\SOFTWARE\Microsoft\Command Processor
with three underlying values.

CompletionChar
DefaultColor
Enable Extensions

To my knowledge they control some settings for the Command Prompt.

Hiton.A adds this value to that key:
AutoRun = "C:\WINNT\svchost.exe"

Only if you have that entry it is worth worrying about.

Regards,

Pieter

 

Thank you for your swift reply Pieter. That key is identical to yours thankfully.

Another key description in SSM I've found is trojan.riler described here

http://www.sarc.com/avcenter/venc/data/trojan.riler.html

Again though, the value "PackedCatalogItem" = "%System%\SynUsb.dll" is not there.

14 entries but they read Binary Value %SystemRoot%\system32\mswsock.dll

Is that how it should look ? If so, all looks to be fine but I still don't get why those descriptions in SSM.

 

Hi Jon,

I am not familiar with SSM (long time ago since I last used it) but it appears to me that it is giving you information on what malware could be using certain regsitry values, rather then telling you they are being abused.

I would like to see that confirmed by someone who does know the program.

Regards,

Pieter

 

Hi Pieter

Input from such a respected malware expert is very welcome

With what limited knowledge I have and a bit of research I had come to a similar conclusion. In my case 'luck and guess' and in your case 'judgement'

There are other key descriptions with what seems like copy/paste from the sources you and I have quoted.

Seems almost like some leftovers from the programmers initial concepts.

Now I'm not so uncomfortable, but as you say, views from an experienced SSM user such as Herbalist would be most welcome.

Since your initial reassurance I've posted at SSM forum for some thoughts

Thank you very much for your help.

 

Are you looking at the entries in the 'Malware' Group of Registry protection entries? This contains a hotch-potch of Values and Keys that are known to be used by specific malware and are, for that reason, being protected. Just double click each Key or Value in the Group to discover what the malware is called that makes use of these Keys/Values.

There are some odd items in this Group that probably don't even exist on your system, but which might be created if you ever encountered the malware in question without protection.