|
Archive files
|
Malware can be hidden or launched from within archive file formats.
|
|
Auto-run application files
|
Malware can launch from any auto-running file associated with a particular application.
|
|
Embedded or linked files
|
Many applications and their file formats allow other document types to be embedded/executed.
|
|
FILE AREAS
|
|
Alternate Data Streams
|
Malware can hide itself in the Alternate Data Streams (ADS) of a Windows file.
|
|
AUTORUN.INF
|
Autorun file, runs commands or programs referenced by open= or shellexecute= after inserting (or choosing to Autoplay) media storage (CD-ROM discs).
|
|
Desktop.ini
|
Used to customize folder behavior. It is meant to allow users to customize folder appearance and behaviors, but can be used to hide files and auto-launch programs when referred-to folders are viewed.
|
|
HOSTS
|
Used to place static DNS resolution entries.
|
|
Non-printable characters in file name
|
Several computer defense programs (for example, antivirus) are unable to scan files using un-printable or extended ASCII characters in the name.
|
|
Long path name trick or program.exe trick
|
If long path names with space in the name are not included in quotes, many programs, will attempt a systematic execution search that could lead to the wrong file (possibly malicious) being executed.
|
|
Internet shortcut trick to run local code.
|
Can be used to override HOSTS and DNS resolution
|
|
OLE2 document trick
|
OLE2-formatted documents will be opened in their correct associated application if no extension is chosen.
|
|
Protected file names (Lsass.exe, System, and so on)
|
Several program names, when running, cannot be killed in Task Manager, complicating removal.
|
|
FOLDERS
|
|
%Windir%\Start Menu\Programs\Startup
|
Default Startup folders; any program or command listed in one of these folders will be automatically executed when the user logs on.
|
|
Recycler
|
Recycle Bin's temporary storage location for deleted files and folders.
|
|
System, System32, %Windir%
|
Malware often writes itself to Windows system directories.
|
|
System Volume Information
|
Can be used by hackers or malware to hide malicious programs.
|
|
Tasks
|
Lists Task Scheduler Tasks.
|
|
Temporary Internet Files
|
Malicious files are often stored/hidden in Internet Explorer's Temporary Internet Files (TIF) folder.
|
|
OTHER
|
|
ActiveX control
|
Installed ActiveX control.
|
|
Defensively positioned dialog boxes
|
Malware often uses various programming "tricks" to cover up legitimate warning boxes or to trick the user into accepting a command that allows malware to enter the system when it otherwise shouldn't.
|
|
Executable pathway
|
PATH statement determines what paths OS should try if file is not found in default directory it was called from (i.e. Frog.exe vs. C:\Program Files\Frog.exe).
|
|
Hidden files
|
Hidden (or system) files/folders will not appear to casual searches.
|
|
Layered Service Provider (LSP)
|
Malware can insert itself as an LSP program, which can intercept any network traffic heading into and out of a PC.
|
|
Task Scheduler
|
Will run listed programs and commands.
|
|
Unusual folder/file names
|
Hackers and malware often use unusual names to hide malicious files and folders.
|
|
URL Monikers
|
URL Monikers can be added to Internet Explorer to load associated programs when a particular keyword is typed.
|
|
REGISTRY KEYS
|
|
HKLM\Software\Classes\NeverShowExt
|
Real file extensions can be hidden.
|
|
HKCU\Software\Microsoft\Internet Explorer\SearchURL
|
Redirects any URLs typed in Internet Explorer to defined URL.
|
|
REGISTRY KEYS
|
|
HKLM\Software\Internet Explorer\Extensions
|
Adware/spyware can add buttons to IE that connect directly to malicious programs and scripts.
|
|
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
|
Runs commands or programs after user logs on.
|
|
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
|
Runs commands or programs after user logs on.
|
|
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
|
Runs commands or programs after user logs on.
|
|
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
|
Runs programs after user logs on.
|
|
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
|
Runs programs in Task Manager after user logs on.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
|
Runs programs after user logs on, when Windows default shell (explorer.exe) runs for the first time during every logon.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
Runs programs or commands after user logs on.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
Runs programs or commands after user logs on for the first time only after the key is created.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
|
Runs commands or programs after user logs on, although typically points to the CLSID of the associated .DLL file. Links programs to explorer.exe process.
|
|
HKLM\Software\Classes\\shell\open\command
|
Can be modified to run additional commands or programs when a particular file type is executed.
|
|
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
|
Loads Windows logon user interface, loaded interface passes interactive user's logon credentials to Winlogon.exe.
|
|
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
|
Specifies the programs that Winlogon runs when a user logs on.
|
|
REGISTRY KEYS
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
|
Programs are loaded when Internet Explorer loads; programs loaded are also known as Add-Ins.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
|
Task scheduler programs that are launched when Windows starts.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
|
Determines location of Startup folders (i.e., Startup programs) and other common folders (for example, My Documents, My Favorites) for All Users profile.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
|
Contains the list of the COM objects, listed by GUID, that trap execute commands.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
|
Runs programs or commands after user logs on, in a controlled order. Runs listed value each time any user logs on until a user with admin permissions to registry key logs on; then it deletes the value after running.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
|
Runs service after bootup prior to user logging on.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
|
Runs service once after bootup prior to user logging on, and then deletes itself.
|
|
HKLM\System\CurrentControlSet\Control\SafeBoot
|
Used by Windows to determine what programs, services, and drivers are loaded in a Safe mode boot.
|
|
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PathExt
|
Determines what file extensions are tried if program name is typed in without an extension (i.e., Frog vs. Frog.exe).
|
|
HKLM\System\CurrentControlSet\Services
|
Will load program as service (i.e., prior to user being logged in).
|
|
HKLM\Software\Microsoft\Office\Outlook\Addins
|
Malware can add itself as an Outlook Add-in and manipulate incoming or outgoing e-mail.
|
|
REGISTRY KEYS
|
|
HKCU\Identities\\Software\Microsoft\Outlook Express\\Signatures
|
Malware can add a malicious script to Outlook Express e-mail signatures that retrieves malware automatically when opened by recipient.
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
|
Adds any string value as a prefix for any URL typed in the browser, effectively redirecting all typed in URLs to an unauthorized Web site first.
|
|
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
|
Can be used to point to a new, unauthorized HOSTS file instead of the HOSTS file in the normal location (i.e., \%SystemRoot%\Drivers\Etc).
|
|
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\
|
Sets overall TCP/IP communications values including DHCP, DNS, and TCP/IP stack. These values are used unless a specific value is set under the \Interfaces subkeys on a particular interface.
|
