Information about specific and common Trojans and worms
is available on our news pages. Although they differ from
one another, most worms use similar methods to install themselves
on the host machine, and initialize. The most common initialization
is by adding itself to the Windows startup queue, in any
of the following methods:
By adding a key to the startup queue, in the registry.
Typical keys from where worms initialize are: local machine
run, per user run, and RunServices
By adding a LOAD or RUN statement in WIN.INI
By chaining to Explore.exe shell, through SYSTEM.INI, by
adding a reference to the worm to the 'shell=' directive
in the [boot] section
By adding a link or reference in the Windows startup group
/ folder
Replication: On initialization, the worm may hook
the default e-mail application, or start its own SMTP (mail
service), in order to forward duplicates of itself to the
next victims. Worms may also install a backdoor service
on the victim machine, to let access the affected PC from
a remote computer, or steal data and send it to a remote
listener. Many of the newer worms will also start a process
that will redistribute the worm across the network, through
file sharing.
InVircible detects the presence of worms through any of
the following methods:
Every application added to the startup queue is reported
by SAM (startup applications monitor), as part of IV Interceptor
Black listed objects are intercepted on access, like when
attempting to open the bogus attachment. Black list objects
are those listed in the IVI offensive files list (OFL).
Sometimes worms have intrinsic generic features that will
trigger IVI on access, without being listed in the OFL.
Examples are: bogus file naming (e.g. double extensions),
suspect PE code, embedded hostile script, bogus macros,
etc. The latter will be intercepted by IVI and their execution
will be inhibited.
Indications of a newly installed worm:
A new application in the startup queue is legitimate if
you expect it, like after installing a new program that
requires initialization with Windows startup.
The SAM popup window will then show the new startup application,
with all details. The detailed description of the startup
applications list helps assess whether it's benign, and
suggests how to disable or remove that item, it in case
it's bogus.
Yet if a new application shows in
SAM's list shortly after you opened an e-mail attachment,
or ran a program that wasn't expected to install itself
in the startup sequence, then it's very likely that the
newly added application is bogus.
The latest addition to the list will show in red, so that
you can easily spot it, and remove it, on will.
Disabling/removing undesired startup applications:
First, note the name, path and the initialization method
of the application that you want to remove from Windows'
startup, in the SAM list.
Next, revert the changes made to the registry and/or the
WIN.INI / SYSTEM.INI files, or delete the desired object
from the startup folder. The SAM list provides all the necessary
cues to spot the item to be removed.
Last, delete the offensive file(s) as per their pathname
in the SAM list. You may need to restart Windows to permanently
delete a startup item, as the files may be locked if they
were already initialized, or in use.
The removal of some worms may leave Windows in nonfunctional
status. This will be the case with PrettyPark,Yaha,
Sircam and a few others. These
worm modify the value of the registry key HKLM/root/exefile/shell/open/command
and reassign the execution of EXE files to themself. Hence,
no executable can run under Windows until this registry
key is restored to its default value.
InVircible users need not worry about this as IV prevents
this condition from occuring, by intercepting any attempt
to steal control over the 'exefile/shell/open' command.
If stuck with this problem (lost the ability to run applications
from Windows) then do this:
Get the FixRegEx utility, from the affected computer, and
run it right from the server, or save FixRegEx to a floppy
and run the download file on the affected PC from.
Back
