There are viruses and other pests that can add any number of different entries to the startups. They make additional entries under the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\ Run and RunOnce keys, allowing them to run at startup. In all cases below, %System% - refers to the System folder; by default this is C:\Windows\System (9x/Me), C:\Winnt\System32 (NT/2K), or C:\Windows\System32 (XP/Vista):
1. PE_BISTRO - adds "XXXX"="C:\WINDOWS\XXXX.EXE" - where XXXX is the randomly chosen filename of the dropped file
2. MAGISTR.A - adds "[Virus file name]"="[Virus Path and file name].EXE"
3. BUGBEAR.A or BUGBEAR.C or BUGBEAR.E - adds ""=%System%\"[random filename].EXE"
4. OPTIXPRO.11 - adds "%Registry entry%"="%Path%\%Filename%"
5. Lop.com homepage hijacker - adds multiple and random startup entries
6. FreeScratchAndWin - adds multiple and random startup entries as it includes LOP above
7. nCase (or n-Case) parasite - adds multiple and random startup entries
8. LORAC - adds "[four random characters]"="%Sysdir%\abcdef.exe"
9. MOSUCK - random name and filename in C:\Windows or C:\Winnt
10. DEBORMS.D - adds one of a number of valid Name/Startup Item entries but points to the path of the worm file dropped
11. GIBE.C - adds random name and filename in C:\Windows or C:\Winnt
12. SWEN.A - adds random name and filename
13. ZOMBAM.B - adds random name and filename
14. WANADO or REUR - adds "XXXXXXXX"="%Sysdir%\XXXXXXXX.exe" where X can be any random hexadecimal (0-9, A-F) number
15. SINCOM - adds random name and filename in C:\Windows or C:\Winnt with "Run:Auto" appended to the command/data column entry
16. SOBER family - adds "[random string]"="%system%\[random filename.exe]"
17. BRANCOS.C - adds "win_[4 random characters][4 random numbers 0-9]"="%System%\SYS_386X\[4 random characters][4 random numbers 0-9].exe"
18. IRC.BOT.B - adds random name and filename
19. COREFLOO-C - adds "[random filename]"="rundll32 %SYSTEM% [random filename].dll,Init 1"
20. [random digits].exe = [random digits].exe - 8 random digits, example: 77231997.exe = 77231997.exe. Winpup.exe adult content downloader
21. DRAGONQQ - "[Trojan's filename]"="[Path to the Trojan]", "[Random name]"="C:\WINNT\[Random name].exe", "[Random name]"="C:\Program Files\[Random name].exe" or "[Random name]"="C:\WINDOWS\[Random name].exe"
22. FORMADOR - adds "[executed file name]"="%System%\[executed file name].exe"
23. NETTRASH - adds "[file name]"="[path to filename].exe"
24. OPTIXPRO.13B - adds "[registry value name]"="[path to trojan].exe"
25. MYDOOM.F or MYDOOM.G or MYDOOM.H - adds "[4 to 8 random, lowercase letters]"="[worm filename]"
26. ANNIL - adds random name and filename
27. ANTINNY.G and ANTINNY.K - adds "[random name]"="[path to worm]"
28. KILLAV.D - adds "[Trojan filename]"="%Windir%\[Trojan file name]" where %Windir% is C:\Windows or C:\Winnt
29. MYPOO - adds "[value name]"="[Trojan file name]" where [value name] is configurable
30. BLACKMAL or BLACKMAL.B - adds "[random_file_name1].exe"="%System%\[random_file_name1].exe"
31. ERKEX.A - adds "[random_file_name]"="%System%\[random_file_name].exe"
32. OPASA - adds "[random_file_name]"="%System%\[random_file_name].exe"
33. GAOBOT.ADN - adds random name and filename
34. ADWAHECK - adds "[trojan name]"="%System%\[trojan filename]"
35. GOBOT.A - adds random name and filename in C:\Windows or C:\Winnt
36. Sandboxer adware - adds random name and filename
37. AGENT.B - adds "[1-5 random characters]"="RUNDLL32 %System%\[DLL filename].dll,StreamingDeviceSetup"
38. EXRUNTEL - adds "[original filename]"="%System%\[original filename]"
39. Margoc adware - adds random name and filename
40. Winpup adware - adds random name and filename in %System%
41. KETCH - adds "[word]"="%System%\[word][number].exe"
42. DARBY.B - adds "[random worm filename]"="%System%\[random worm filename]"
43. VUNDO - adds "*[trojan name]"="[trojan path]"
44. BEAKER.A - adds "[5 random lower-case char]"="[5 random lower-case char].exe" in the System, system32, Temp and Fonts sub-directories of %Windir%
45. LIFEFORENOW - adds "[random filename]"="%System%\[random filename].exe"
46. DIMI - adds "[random value name]"="%System%\[random filename].exe"
47. ABEBOT - adds "[random service name]"="[random filename].exe -services"
48. OMEGA - adds "[random value]" = "%Windir%\[random file name].exe"
49. NAMSHARE - adds "[Random service name]" = "[Random file name]"
50. REANET.B - adds "[file name]" = "[path to file name]"
51. BANCOS.Q - adds "[filename prefix]" = "[path to filename]"
52. SPYBOTER.GEN - adds "[key name]" = "[file name of Trojan]"
53. BOTUK - adds "[random characters]Srv32" = "[random characters]srv.exe"
54. MADTOL-A - adds "[trojan filename]" = "%System%\[trojan filename]"
55. HESIVE - adds "[trojan filename]" = "[path to trojan]"
Variables:
* %System% - refers to the System folder; by default this is C:\Windows\System (9x/Me), C:\Winnt\System32 (NT/2K), or C:\Windows\System32 (XP/Vista)
* %Windir% - refers to the Windows installation folder; by default this is C:\Windows (9x/Me/XP/Vista) or C:\Winnt (NT/2K)
* %UserProfile% - refers to the current user's profile folder; by default this is C:\Documents and Settings\ (NT/2K/XP) or C:\Users\ (Vista)
* %ProgramFiles% - refers to the Program Files folder; typically the path is C:\Program Files
No comments:
Post a Comment