[ ] | [ -+- DEEP_R00TING -+- ] | [__________________________] | \ \ | *---------------------------* Or the Better Way to Stay Alive ! By Del_Armg0 /*/ MATRiX Team ¤° -------------------------- 1 - What is Deep-Rooting ? -------------------------- Deep Rooting (D.R.) is the way to stay in a computer, making the removing of the virus/worm or trojan harder. The main goal is to restart each time Windows is starting, and we have lot's way to do it. But D.R. is not simply restarting a file, lot's operation could/must be added like : - making backup/copy of himself - checking if the Autostart is always enabled - reinfecting system or reinstalling some files - etc... Here i will only study the way to restart a file with Windows, just don't forget to make the D.R. deeper as u can and the hardest to remove. U could of course use more than one of these methods, but it will be better if they act in a different way, like: - use winstart.bat to see if virus/worm is always here, and make some copy. - use win.ini to run another .exe/.bat/.vbs who will make some others checks or reinstall some files. - use registry to finally run the virus/worm one more time ;) If u mix all these methods nicely, and use some others unknown tricks... your virus/worm or even trojan will be the hardest to remove. ------------------ 2 - Classic Ways : ------------------ *A| The AutoStart windows folder; everything here, progs, links or others files will restart/will be run to each Windows startup Habitually u can find this folder named as C:\Windows\Startup menu\programs\startup (or "C:\Windows\Menu démarrer\programmes\démarrage" here). This Autostart Directory is saved in: "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ Shell Folders Startup="C:\windows\start menu\programs\startup" So it could be easily changed by any program It's probably the worst method, because lot's users know this folder, and it's to easy to disinfect (simply delete the file/link). *B| Registry Autorun keys; actually lot's used by worms and trojans (even virus), but it's a good way to restart or run something. Registry is a very powerfull thing :) Some keys are more usefull than others, for our article subject, 7 keys can make the job: - [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] - [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] - [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce] }>>after runned, file - [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] }>>will be deleted - [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] - [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices] }>>after runned, file - [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce] }>>will be deleted Some tricks : + by default the directory is %system%, so if your key is "trojan" -- "file.exe", the target file will be %system%\file.exe Of course u can specify a path in the registry key. + If u run a .vxd from registry, it will be run as an .exe (hey i forgot to test with .cpl ;) Sadly, all the reg. tricks and restarting way are more and more known, and some good 'puter users could easily remove the key. Arggghhh! Others interesting key : - [HKUsers\.Default\Software\Microsoft\Windows\CurrentVersion\Run] - [HKUsers\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce] *C| WIN.ini; here is another good trick for restarting, and perhaps harder to remove... The trick is simply to add datas in the [windows] section of the .ini, which ? Those ! [windows] load=your_file.exe run=your_file_too.exe Here are the 2 keys u can used in win.ini for restarting a file The file must be in %windir% directory or u can even specify a path *D| SYSTEM.ini; another way very near of above, but again harder to remove (perhaps one of the hardest to see for a newbie), it's based on Window$, who "can load" more than one shell ... hurumm he's trying ;), but the result is here and u can run a soft using it. Let's look the nice [boot] section ... [boot] shell=Explorer.exe your_file.exe | |__> u must NOT remove the "Explorer.exe", imagine windows starting without explorer... like a bitch without a dick ! *E| Winstart.bat; here is an old trick, but always usefull :), the main problem, cos' yes there is a problem, winstart.bat can't run win32 exe file (no PE or NE but only old dos prog). It's simply because winstart.bat is run just before windows starting, and at this moment the 'puter is again in dos. Another problem is in others progs/soft the user can install on the 'puter, sometimes a winstart.bat can be created (used for install,...) and your winstart will be overwrited ! Argggh!! Anyway if u wanna use it... just put some dos commands in a file called "winstart.bat", put it in your %windir% and restart the 'puter. ::--winstart.bat-- @ECHO OFF mkdir c:\test echo test dir. exit ::--end----------- In windows files are launched in this order : .com/.exe/.bat , if u give no .ext to a bin. file in a dos shell. *F| Autoexec.bat; The Old trick, lot's antivirus check actually for changes in autoexec, and many users know this trick... this time u have just to add some dos commands in the c:\autoexec.bat file, u can add it where u want. But dont forget to check if the file is already "infected", or you will have very soon an autoexec near of 1MO ;) Another thing, don't overwrite this file, or the 'puter could be fucked (could) (sometimes). *G| Wininit.ini; it's a file found in Windows directory, it's run once and then deleted. Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows Example: (content of wininit.ini) [Rename] NUL=c:\windows\file.exe This example sends c:\windows\file.exe to NUL, Which means that it is deleted. This requires no interactivity with the user and runs totaly stealth :) . *H| ICQ Net; not very common and very interesting. Just see it : [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test] "Path"="test.exe" "Startup"="c:\\test" "Parameters"="" "Enable"="Yes" This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection. And as u can see it's usefull for trojans or worms (using network). It's a not very known trick, but the victim need this shitty Icq (Viva mIRC). Probably many others progs could be exploited in this way (firewall?;). *I| Registry Shell Spawning; a good trick for worms and virus (good for companions) [HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*" [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*" [HKEY_CLASSES_ROOT\mhtmlfile\shell\open\command] @="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome What is all that !?! It's just default registry keys. These keys should have (and have) a value of Default Value of "%1 %*", if this is changed to "worm.exe %1 %*", the worm.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed, and the called prog is run after (with command line in the %*. Wooooooo!! nice :). The last line is about html files. And of course it could be used with lot's of files, like bmp/jpg/mov/..., just open Regedit and look for the targeted file. *J| Misc. Trick; it's just a usefull trick to add :) [HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] @="Scrap object" "NeverShowExt"="" The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs including Explorer. Your registry should be full of NeverShowExt keys, simply delete the key to get the real extension to show up. *K| The last technics: Explorer.exe; Seems good with NT too (Win2k...?) : Windows loads Explorer.exe (typically located in the Windows directory) when it has loaded. However, if C:\Explorer.exe exists it will be executed instead of the Windows Explorer.exe. If C:\Explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot. If C:\Explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes, the file just simply has to be renamed. Of course the Trojan/Worm/Virus using this trick has to call Explorer.exe (the true) by himself :) ----------------- 3 - Others Ways : ----------------- I've just dreamed others methods could be used, i've not tested them, it's just from a weed-brain-storming ;) ++-> Infecting/patching the file %windir%\win.com, this file is run each time windows start, so it could be possible to patch it to make something else ... ++-> Another "always-run" file is explorer.exe, a patching could be done too, the prob is in the many differents versions of explorer.exe. ++-> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx] , who knows ;) But this key create a log file in Windows dir. called 'RunOnceEx Log.txt'. ++-> A Simon7 idea: using a mbr infector to run some code and help or run the virus/worm, it will be very effective and very hard to remove. ++-> When virus/worm is in memory, check every 10 seconds if the restart way is always existing, if not, reinstall it. It will be even better to have a memory resident when dos, and another when windows, because many worms/trojans are too easy to remove under dos, so don't forget power of dos. Cya! .finished on 25.february.2001 °~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~¤ Del_Armg0 / MATRiX team / MTX#3 delly@fr.st / del_armg0@matrixvx.org http://www.delly.fr.st °~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~¤