Most common registry keys where malware resides?

Discussion in 'malware problems & news' started by BlackHawk1, Aug 10, 2006.

Thread Status:
Not open for further replies.
  1. BlackHawk1

    BlackHawk1 Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    32
    Has anyone made a list of the most common registry key locations where malware resides? I would like to know so I can add these locations to my "favorites" in the Window XP registry for quick checking. Maybe there is a list out there already? If so, can someone point me to it? Thank you! If not, can we start a list? I have one location added...

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  3. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    thx Pieter! This link is very useful at least for me. :D
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If you want to keep a quick check on all the most likely Reg Keys, one way is to run HijackThis then place all its findings in the Ignorelist, then when you run HJT in future you will only be alerted to changes that have occured.
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  6. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    It's already listed (nr. 27) ;)
     
  8. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    What I meant was, add it to the Symantec list.
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Ah, I see. Well, there's a feedback box at the bottom of that web page. I guess you could let them know that way.
     
  10. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    BlackHawk1,
    Have a look here
    If you click the top link, you can download as a doc file.
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Great link, thanks. :)

    It adds additional hijack points to the most common autostart locations, much like SilentRunners and Sysinternals' Autostarts does.

    One prob with this list: it makes no difference between registry keys and values IN registry keys, so that some of the registry paths listed are technically incorrect and thus a bit confusing.

    For example:

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

    ... is a valid path, as Notify is a subkey to Winlogon

    ... wheras...

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

    ... is not a valid registry path, as there is no UserInit subkey; UserInit is a string value in the Winlogon key.


    Otherwise extremely informative and well annotated! :)
     
    Last edited: Aug 14, 2006
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi Pieter, always good to see ya! :D

    BTW, it was certainly not meant as a reproach... o_O:D

     
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Just throw him some chocolate Tony and he'll find some more :D
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It's an excellent article, but I do agree the layout can be confusing, especially when part of the path is omitted - i.e. 'Microsoft' in the following:-

    HKCU\Software\Internet Explorer\Toolbar\ShellBrowser

    HKCU\Software\Internet Explorer\Toolbar\WebBrowser

    But one thing has me completely flummoxed though, namely:-

    HKLM\System\CurrentControlSet\Control\Session Manager\StartPage

    Is that a value, a Key, or does it even exist in XP at all? I've not come across that before! o_O
     
  16. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    It would have to be a string value, but it can really only be an error, especially as he says:

    Both are incorrect. That value does not exist there, and if it did, it would do zilch (Haven't tested, but I'm prepared to wager... LOL)
     
    Last edited: Aug 15, 2006
  17. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Thanks Tony, I thought it might be an error but I couldn't be sure! :)

    While we're on the subject, another excellent source of Keys to protect is Merijn's StartupList 2.01, if you set it to 'show empty sections' it comes up with a lot of exotica. :D

    Unfortunately, in the WinLogon autorun section, it includes:-

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon as the path for the value AppInit_DLLs, which is very off-putting to those of us expecting to find that value on the 'Windows' Key. :'(

    Trying to aquire knowledge in this area is certainly fraught with difficulties! o_O
     
  18. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're absolutely right, excellent find! :thumb:

    PM to Merijn sent. :)
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Non taken Tony and the pleasure is mutual.

    I still take any chocolate I can get my hands on :D

    TopperID's post opened an old wound by the way.

    I think I had a discussion with Mosaic1 about this one:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
    "ExcludeFromKnownDlls"

    I think we came to the conclusion it can be abused to steal the place of legit .dll files

    Regards,

    Pieter
     
  20. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yes, I remember that, and I believe at the time you first brought that to our attention in the RegDefend forum.

    I immediately included it into my RD rules set, and the issue is also briefly touched upon in the Autostarts List. :)
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Might have known you already had that covered. :cool:

    Sorry I was too lazy to check myself. :cautious:

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.