Execute programs at windows startup
My Last post was related to the ADS technology adopted by viruses and rootkits. These viruses can implement Alternate Data Streams and easily hide themselves behind legitimate files. I also did a small mention of how to get suspicious whenever you see some new entry in Registrys keys used to start program with operating system. In this post, i am going to extend the last post and write about some REGISTRY locations which can be used by virus writers to execute virus/rootkits whenever some files like .txt,.jpg,.bin gets executed.
Every file type has a program associated with it. Like .txt file is usually get opened in Notepad.exe while .mp3 files get opened in Windows Media Player.
Now the question is – How does Windows knows that when user wants to open “file.txt” so, it should open “notepad.exe” and lauch “file.txt” inside it?
The answer is – Windows Operating System maintains the file type association in the Registry Database. The HKEY_CLASSES_ROOT hive from the registry maintains all the file types and their respective associations.
Lets take an example for better understanding of the concept. Lets say we have created a new file type called .abc which our software can only read and we want it to get associated with our software. All we need to do is add new Key in HKEY_CLASSES_ROOT of .abc as shown below.
The next step is to put another key “abcfile” in the same location and add subkeys as shown below.
Out of all subkeys, “shell” subkey is very important. The path of executable mentioned in the “command” subkey from “shell” gets associated with the .abc file and whenever user opens a file with extension .abc; MySoftware.exe gets launched automatically.
Following entries are also associated with the file type association and execution. If your program is taking some extra time to launch the associated file, it will be worth viewing the above and below mentioned registry entries for ADS or traces of viruses.
Don’t forget to open and review following files too.
1) Winstart.bat: Windows executes all the instructions from this file.
2) WIN.ini : Windows executes all the instructions present in line starting with RUN= or LOAD=
These are not the only ways to execute programs at the start but are most common/easy ways to implement it. I hope this post will make you aware of some of the techniques that can be used to launch program at windows startup and also give you a hint on how to make sure that your computer is infected with virus/rootkits.