What evil can malware do within the Documents and Settings folder?

Discussion in 'malware problems & news' started by Devinco, Sep 29, 2006.

Thread Status:
Not open for further replies.
  1. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I would like to learn what malware can do within the Documents and Settings folder (and sub folders) only.
    The folder contains one of the Windows XP registry hives NTUSER.DAT (HKEY_CURRENT_USER).
    It also contains the desktop folder and the Start Menu (which contains the Startup folder).

    Only considering this folder with subfolders(and its contents), what are the main malicious actions that malware can perform here?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Almost everything.

    It offers startup location and room for exploits (Active Desktop)
    Lots of nice hidden folders (by default) where you can store files.
    For example Brontok variants used the Local Settings\Application Data folder.

    Regards,

    Pieter
     
  3. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thank you Pieter! :)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    You're welcome. :)

    Was there a particular reason for asking?
    Looking at attack vectors against specific users of a computer?

    Regards,

    Pieter
     
  5. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Yes, your answer has helped to settle a problem of risks vs. benefits.

    There is an ongoing thread about the nLite Windows XP slipstreaming utility here:
    Updating WinXPproSP2 Install CD - nLite
    nLite can make a windows clean reinstall faster, easier, more secure, and customized.
    It also has the option to move the entire Documents and Settings folder to a different partition (for example, a data partition).
    This option was very tempting (to me at least) because it would let me automatically move My Documents, Favorites, Firefox and Thunderbird Profiles, as well as the profiles and settings for every single installed (and future installed) program to my Data partition.
    This would mean that I would not need to manually move these and could save a lot of time.
    If one needed to restore a backup image of the OS in case of some regular corruption or compatibility issue, all the customized settings for the different programs would not be lost.

    But the big negative is that malware could persist in the Documents and Settings folder and even become automatically active again after a restore.
    This takes away the security benefit of making backup images in regards to malware.

    Right now it seems much better (security wise) to just manually move the selected folders and profiles like My Documents, Favorites, Firefox, Opera, and Thunderbird Profiles.
    Would you agree?

    Would you happen to know if the list of installed programs (as shown in the Add/Remove Programs control Panel applet) is stored in NTUSER.DAT(HKEY_CURRENT_USER)?
    NTUSER.DAT is stored within the Documents and Settings\[CURRENTUSER] folder.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    The majority of the items listed under Add/Remove Programs is fetched from this key in the registry:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Only if you get the option to "Install for the current user only" and you choose to do so, the information will be written to:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Personally I also use an .inf file to quickly change a few personal settings to my liking on a freshly installed system.
    (I often re-install my Virtual Machines) ;)
    This can of course also be done with a .reg file or whatever you prefer.

    Regards,

    Pieter
     
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Thanks again Pieter! :)
     
Loading...
Thread Status:
Not open for further replies.