Registry scanning

The constant threat: viruses, trojans, spyware, ... the list goes on

Registry scanning

Post by WallShadow on Sun Aug 12, 2012 6:56 pm
([msg=68727]see Registry scanning[/msg])

Good afternoon everyone,

I wanted to quickly ask anyone here who does any manual cleaning of malware, what registry keys do you check right of the bat? Since even the smallest of viruses edit various parts of the registry, usually for persistence or to protect themselves, what must you check in order to confirm/deny a virus infection?

And to add to this, I was wondering if anyone had heard of the AppInit_DLLs key. This key is a very dangerous one because it lists all DLLs that are loaded by default whenever a GUI application is loaded. The key is located under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows and is a REG_SZ value by the name of AppInit_DLLs. Normally, this key should be empty on most machines (though I'm not certain if any specific software uses this key, so make sure to double-check anything before deleting stuff and blaming me) and even Microsoft recommends that no one use this key for any reasons and warns that future versions of windows may not support it. On modern versions of Win (Vista, 7, 8?) there is also the LoadAppInit_DLLs key in the same location which should normally be set to 0x0 to indicate that no DLLs from AppInit_DLLs should be loaded, but when set 0x1, it does load. (I'm not 100% certain on that last part, I never really got a chance to test it)

It's funny because according to a study of computer security experts told to inspect a random machine for the presence of a virus, the first thing that they always do it always jump for some kind of a GUI program. ;)

-WallShadow <3
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Registry scanning

Post by cyberdrain on Tue Aug 14, 2012 5:37 pm
([msg=68749]see Re: Registry scanning[/msg])

Comodo Firewall definitely uses this key: I found guard32.dll inside it. I hadn't heard of the key yet, but it is indeed interesting. How did you find that key anyway?

To check for malware, I usually check all startup keys and svchost launched services. On top of that I usually check if the browsers (Internet Explorer in particular) have any weird registry changes from normal. Checking HKEY_CLASSES_ROOT\*\shell\open\command keys is also something, as is checking if the default windows shell (under winlogon) is still the same. Policies are also used to some extent by different types of malware. I'm sure there are more registry keys to check, so anyone who knows more, please say so.

However, if I recall correctly, a good hypervisor rootkit is virtually undetectable, save for errors on the programmer's part. So that would mean taking out the hard-drive and checking it on another machine. I'm not sure you can ever completely confirm nor deny any virus infection on a machine without a known safe image of the system.
Free your mind / Think clearly
User avatar
cyberdrain
Contributor
Contributor
 
Posts: 985
Joined: Sun Nov 27, 2011 1:58 pm
Blog: View Blog (0)


Re: Registry scanning

Post by WallShadow on Tue Aug 14, 2012 8:15 pm
([msg=68752]see Re: Registry scanning[/msg])

cyberdrain wrote:Comodo Firewall definitely uses this key: I found guard32.dll inside it. I hadn't heard of the key yet, but it is indeed interesting. How did you find that key anyway?


I read it in the Windows Forensics Analysis book.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)



Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests