Friday, January 29, 2010

Manually Killing Viruses, Part 3

Hunting for viruses in the Registry...
The most obvious startup location in the Registry is...

The following are normally empty...

It gets more complex beyond that...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows /v AppInit_DLLs (this is normally blank)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The "Shell" and "UserInit" values often are edited by viruses, sometimes loading worms or Trojans.

If the computer is un-bootable, and you're booted of a Rescue CD, then you need to load Registry hives off the hard drive. To do this, you need to launch Regedit and expand HKEY_USERS. With HKEY_USERS highlighted, click "File", "Load Hive...", and browse to C:\WINDOWS\system32\config\. Make sure you're loading from the correct drive, or you're wasting your time. If booted from a rescue CD, the Rescue CD's Windows folder will be the default. Make sure you pay attention and get to the correct, infected, hives. Give them sensible names.
Load "SOFTWARE" and "SYSTEM", naming them something that makes sense. Or name them anything beginning with any letter after "S" so that alphabetically the hives you load always drop below the other normal hives. This is because you'll be doing searches and it's faster to search only the loaded hives.

Next, load all the user profiles which create HKEY_CURRENT_USER when users are logged on. These hives are called NTUSER.DAT and are stored at the root of every profile...
C:\Documents and Settings\%username%\NTUSER.DAT

Some don't realize that HKEY_CLASSES_ROOT is identical to HKEY_LOCAL_MACHINE\SOFTWARE\Classes. When you load the "SOFTWARE" hive, you effectively get full access to HKEY_CLASSES_ROOT through the ...\Classes key.
Look into every startup location as mentioned above.

In the System hive, you'll be looking for malicious services. It helps to have a healthy Windows XP machine to compare with. Still, there is some guess-work. Proprietary OEMs like to add tons of mostly legitimate craplets. That's what I call the 30-50 odd-ball "goodies" that HP, Gateway, Sony, Dell, etc. like to infest new computers with so that they run like crap. Since these things usually cause more degradation that value, if you accidentally break one of these, thinking it's a virus, no real harm done.

You need to look at all the suspicious DLL's and EXE's that you carved out of \Windows\ and \System 32\. Copy the names and search the loaded hives. This is how you find where they're activated. In doing this, you sometimes find out that the files are okay, and you can put them back. Other times, you get confirmation that they're malicious.

When you're done, always unload the hives. If you forget, things usually tend to unload okay anyways, but sometimes it will corrupt the hives (or the logs) and make things worse.

This whole set of posts is abbreviated. There really are too many sneaky places in the Registry to launch threats to mention all of them. Many replace Windows files with malicious files, diverting normal functions. Others create new services and functions.

Finally, check C:\boot.ini to see if anything is bogus.

When you believe you've carved the worst out, try booting off the normal hard drive.

No comments:

Post a Comment