Places where trojans hide in ur system
///THE FOLLOWING REGISTRY FILES R USED BY TROJANS FOR HIDIN IN UR SYSTEMS ND D COUNTERMEASURE IZ 2 CREATE BACKUP n DELETE D FOLLOWING REG FILES/////////
Registry is often used in various auto-starting methods. Here are some known ways:
[HKEY_LOCAL_MACHINESoftwareMicrosoftW
indowsCurrentVersionRun]
“Info”=”c:directoryTrojan.exe”
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce]
“Info”=”c:directoryTrojan.exe”
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices]
“Info”=”c:directoryTrojan.exe”
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce]
“Info=”c: directoryTrojan.exe”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
“Info”=”c:directoryTrojan.exe”
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]
“Info”=”c:directoryTrojan.exe”
Registry Shell Open methods
[HKEY_CLASSES_ROOTexefileshellopencommand]
[HKEY_LOCAL_MACHINESOFTWAREClassesexefileshellopencommand]
A key with the value “%1 %*” should be placed there and if there is some executable file placed there, it will be executed each time a binary file is opened. It is used like this: trojan.exe “%1 %*”; this would restart the Trojan.
ICQ Net Detect Method
[HKEY_CURRENT_USERSoftwareMirabilisICQAgentApps]
This key includes all the files that will be executed if ICQ detects Internet connection. This feature of ICQ is frequently abused by attackers as well.
ActiveX Component method
[HKEY_LOCAL_MACHINESoftwareMicrosoftActiveSetupInstalledComponentsKeyName] StubPath=C: directoryTrojan.exe
These are the most common Auto-Starting methods using Windows system files, and the Windows registry