Can someone explain these odd Registry descriptions

Discussion in 'other anti-malware software' started by Old Monk, May 15, 2007.

Thread Status:
Not open for further replies.
  1. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi

    I'm having a little play with System Safety Monitor (again ;) ) and I'm not sure what to make of this.

    I'm having a look in the Registry module (curiosity only as this the area of my most ignorance) and in the Registry Objects list there are some keys that have descriptions that would appear to be malware/trojans according to Google.

    For example:-

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot

    Description - Infostealer.Coced240b

    HKCU\SOFTWARE\Microsoft\Internet Explorer\Main

    Description - Backdoor.Pointex

    HKCU\SOFTWARE\Microsoft\Command Processor

    Description - WORM_HITON.A

    This is on a what I believed to be a clean back-up :doubt:

    Any ideas on what any of this means. I can't even find that 2nd key in regedit.

    Is it something I'm not understanding about the Registry Module in SSM

    I'd rather ask here in the first instance than at SSM forum as I know I'll get an independent viewpoint.

    Is it suspicious ?

    Thanks in advance.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    I do have this key on my win2k computer:
    HKCU\SOFTWARE\Microsoft\Command Processor
    with three underlying values.

    CompletionChar
    DefaultColor
    Enable Extensions

    To my knowledge they control some settings for the Command Prompt.

    Hiton.A adds this value to that key:
    AutoRun = "C:\WINNT\svchost.exe"

    Only if you have that entry it is worth worrying about.

    Regards,

    Pieter
     
  3. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Thank you for your swift reply Pieter. That key is identical to yours thankfully.

    Another key description in SSM I've found is trojan.riler described here

    http://www.sarc.com/avcenter/venc/data/trojan.riler.html

    Again though, the value "PackedCatalogItem" = "%System%\SynUsb.dll" is not there.

    14 entries but they read Binary Value %SystemRoot%\system32\mswsock.dll

    Is that how it should look ? If so, all looks to be fine but I still don't get why those descriptions in SSM.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Jon,

    I am not familiar with SSM (long time ago since I last used it) but it appears to me that it is giving you information on what malware could be using certain regsitry values, rather then telling you they are being abused.

    I would like to see that confirmed by someone who does know the program.

    Regards,

    Pieter
     
  5. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi Pieter

    Input from such a respected malware expert is very welcome :)

    With what limited knowledge I have and a bit of research I had come to a similar conclusion. In my case 'luck and guess' and in your case 'judgement' :D

    There are other key descriptions with what seems like copy/paste from the sources you and I have quoted.

    Seems almost like some leftovers from the programmers initial concepts.

    Now I'm not so uncomfortable, but as you say, views from an experienced SSM user such as Herbalist would be most welcome.

    Since your initial reassurance I've posted at SSM forum for some thoughts

    Thank you very much for your help.
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Are you looking at the entries in the 'Malware' Group of Registry protection entries? This contains a hotch-potch of Values and Keys that are known to be used by specific malware and are, for that reason, being protected. Just double click each Key or Value in the Group to discover what the malware is called that makes use of these Keys/Values.

    There are some odd items in this Group that probably don't even exist on your system, but which might be created if you ever encountered the malware in question without protection.
     
Thread Status:
Not open for further replies.