Tested Ghost Groups .gst

Discussion in 'Ghost Security Suite (GSS)' started by Pilli, Jun 17, 2005.

Thread Status:
Not open for further replies.
  1. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ghost goups threads:

    1. Tested contributed Ghost files.
    2. Tested contributed ghost files discussions
    3. Untested contributed Ghost files
    4. Untestested contributed Ghost files discussions

    Guidlines for posting .gst files:

    Initially a post should be made into the "Untested contributed Ghost files" thread, this should contain a few paragraphs on the group, a version number and an attachment with the gst file(s). If you have tested the group on a number of computers it is worth while indicating that you have tested it and also to indicate if other people have been involved in the testing. This will help people judge the level of risk involved with trying out the files

    Prior to posting your ghost files can the group be tested across user logout and login, then with a reboot. These are the most problematic areas that people typically cannot recover from easily so it is best to test before releasing

    Before user contributed group will be considered ready to move into the Tested thread it will need to be seen to be stable, safe and contribute something of worth (and have some documentation)

    As issues are discovered with a group (there are bound to be some) an administrator or moderator might annotate the download post with an indication of problems people are having. Using additional groups is something done at your own risk and should not be done on machines that you cannot easily recover. System Restore can sometimes be very useful in cases where you unintentionally lock up the machine

    Documentation is important because it can help other people to understand the choices that were made when the group was created.
    Everybodies computer is a little different so not every choice will apply or be appropriate to somebody else
    Documentation should include
    * A category, description and purpose of each group
    ** Example categories: Security, Privacy, Tuning/Tweaking
    * Key(s) descriptions and the reason why they are included
    ** If possible a link back to microsoft (or other reputable site) describing the key
    ** The description could indicate why the key was included
    * Any other relevant background information.
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hello all,

    When RegDefend was first released, several members were interested in knowing if the default ghost files covered the keys that RegRun monitors. So, what started as a simple little project to me, has ended up being a more inclusive set of keys to monitor. Even tho it started just to learn and to see if I could get RegDefend to do what RegRun does as far as registry monitoring, it has became a collection of my own as I added related keys and IMHO improved on my initial ghost file. This ghost file has mainly been developed to monitor autostart locations in the registry that malware can use to load and run on your system. This work will probably continue as I make a few improvements to it here and there.

    I would like also to thank RegRun's Dmitry Sokolov for an excellent product that I consider one of my "cannot do withouts".

    My RegRun ghost file has passed the beta testing stage now and has been moved here to the "tested" thread. I hope you will enjoy it. Below you will find a brief outline that will list the key and how I have it set up in the ghost file, a description of that key and/or what it controls, and a malware that uses that method.

    hkey_current_user\control panel\desktop | scrnsave.exe | None | Mod Key, Mod Value | Ask User
    Specifies the name of the screen saver executable file.
    Example of malware using this.

    hkey_current_user\software\microsoft\internet explorer\styles* | * | Key + Value | Mod Key, Mod Value | Ask User
    This key sets user style preferences for the browser.
    Example of malware using this.


    hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell folders | Common Startup | None | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\microsoft\windows\currentversion\explorer\user shell folders | Common Startup | None | Mod Key, Mod Value | Ask User
    hkey_current_user\software\microsoft\windows\currentversion\explorer\shell folders | startup | None | Mod Key, Mod Value | Ask User
    hkey_current_user\software\microsoft\windows\currentversion\explorer\user shell folders | startup | None | Mod Key, Mod Value | Ask User
    These four keys all do the same except for order of precedence.
    Windows automatically starts these items when the user logs on.
    Example of malware using this.

    hkey_local_machine\software\microsoft\active setup\installed components* | * | Key + Value | Mod Key, Mod Value | Ask User
    Startup location for Active X Components.
    Example of malware using this.

    hkey_local_machine\software\microsoft\code store database\distribution units* | * | Key + Value | Mod Key, Mod Value | Ask User
    Distribution units enable the Microsoft Internet Explorer Internet Component Download services to pull down and install software on users' computers.
    Example of malware using this.

    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon | Shell | None | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\microsoft\windows nt\currentversion\inifilemapping\system.ini* | * | Key + Value | Mod Key, Mod Value | Ask User
    Mapping .INI File Entries to the Registry.
    Example of malware using this.

    hkey_current_user\software\microsoft\windows nt\currentversion\windows | run | None | Mod Key, Mod Value | Ask User
    hkey_current_user\software\microsoft\windows nt\currentversion\windows | load | None | Mod Key, Mod Value | Ask User
    hkey_local_machine\software\microsoft\windows nt\currentversion\inifilemapping\win.ini* | * | Key + Value | Mod Key, Mod Value | Ask User
    Mapping .INI File Entries to the Registry.
    Example of malware using this.

    hkey_local_machine\software\microsoft\windows nt\currentversion\svchost* | * | Key + Value | Mod Key, Mod Value | Ask User
    hkey_local_machine\system\currentcontrolset\services* | * | Key + Value | Mod Key, Mod Value | Ask User
    Svchost.exe groups are identified in this registry key.
    Example of malware using this.

    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon | System | None | Mod Key, Mod Value | Ask User
    The programs listed in this value launch in the protected system context, however it is not used by winlogon currently. No legitimate program should be listed here. At this time, I do not believe any malware uses this, but since nothing legitimate does, I have included it for monitoring. I did however find one reference to a malware that may use this HERE, although I am not certain.

    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon | taskman | None | Mod Key, Mod Value | Ask User
    Specifies the task manager that the system uses.
    This value, not installed by default, can be used to launch Task Manager, see here: Have Ctrl-Esc Starts Task Manager. You can replace Taskman.exe by any application, and it will be executed at boot!
    I could not find any malware at present that uses this method, but since this is a risk, I have included it for monitoring.

    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon | Userinit | None | Mod Key, Mod Value | Ask User
    Specifies the programs that Winlogon runs when a user logs on.
    Example of malware using this.

    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon | VmApplet | None | Mod Key, Mod Value | Ask User
    Specifies programs that Winlogon runs for the user so that the user can adjust the configuration of virtual memory when there is no paging file on the system volume.
    I was not able to find any specific malware that uses this, but have included it for monitoring as it is a risk.

    hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\notify* | * | Key + Value | Mod Key, Mod Value | Ask User
    Info here.
    Example of malware using this.

    hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects* | * | Key + Value | Mod Key, Mod Value | Ask User
    Info on BHO's and more info here.
    Example of malware using this.

    hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler* | * | Key + Value | Mod Key, Mod Value | Ask User
    I could not find any good references to this entry, however here is an example a widely spread malware that uses this method.

    hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks* | * | Key + Value | Mod Key, Mod Value | Ask User
    Here and here are some good articles on this.
    Example of malware using this.

    hkey_local_machine\software\microsoft\windows\currentversion\shellserviceobjectdelayload* | * | Key + Value | Mod Key, Mod Value | Ask User
    I could not find any good references to this entry, however there are quite a few malware that use this method, so it has been included.

    I would like to also thank TonyKlein for all the work he does in the spyware community and especially thank him for his collection of autostart entries that helped me in my research immensely.

    Just download the file, unzip it to your *\RegDefend\groups folder. You will have to exit RD's GUI and then restart for it to load and it will be turned off by default. My file should be safe to use with the default RD ghost files as well as TonyKlein's (my self and Tony has tried to be sure that there are no duplicate entries). My old ghost file at this thread has been removed and replaced with this newest "tested" version.

    You may continue to post all discussion and comments concerning this RegRun ghost file over on this thread that has been created solely for this purpose. By doing that we will keep this thread uncluttered and clean, and it will remain more organized.

    • MD5 Checksum
    • RegRun.ghst - 32D44DD7DE6CF96048628D90E66D8B75

    Edit: Thanks to Steve (dog) for removing the VBcode from the text file for me.....
     

    Attached Files:

  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    The post by NormanS has been moved to this thread per the posting above.

    Please DO NOT post in this thread!!! This is the second post that I have had to remove. Please post your comment to the thread I mentioned above...
     
    Last edited by a moderator: Aug 9, 2005
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    It has been agreed with Jason, Gottadoit and Tony Klein that Tony's latest file will now become fully approved & Tested.

    As far as I understand the new TK file will also be the basis for the next GSS ' RD beta it is now fairly comprehensive with out giving too many alerts.

    Much work has gone into this file not only by Tony but many other contributors and is much appreciated - Thank you all and especially Tony

    Enjoy. Pilli :)
     

    Attached Files:

  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Thanks! :)

    Summarizing, this gsr file is in fact a very comprehensive one, incorporating the original standard RD gsrfile and adding monitoring of a great number of additional well- and lesser known autostart and hijack points.

    It will indeed be part of the next RD beta. Do please install the file if you haven't already.

    I'd like to thank everyone for their comments and contributions. Do keep them coming! :thumb:
     
Thread Status:
Not open for further replies.