Sponsored By

shanenin

I Need Malware

Recommended Posts

in the following line what does the "r" mean?

O4 - HKLM\..\Run: [zdkyzf] C:\WINDOWS\system32\bcqzzkw.exe r

Share this post


Link to post
Share on other sites

If you like to play around with a fairly basic rootkit type of infection, install mailskinner.

It will install the invisible variant of EGDACCESS

The effect on a computer without a phone modem is not too bad, so you can play around with it.

The 'r' is a command parameter.

You may have seen other examples of those in lines like these:

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

It feeds the executable some extra information to use when it is run.

It could mean the file will behave differently when you simply doubleclick it. ;)

Share this post


Link to post
Share on other sites

thanks for clearing that up. Being a linux guy(use command paramters daily), I should have realized that.

Share this post


Link to post
Share on other sites

I think the "r" sets the random filename on reboot for these, does it not?

Share this post


Link to post
Share on other sites

Oh yah, shanenin

If you want to see some of the stuff this junk does and the calls it makes to other processes N-stuff.

Get Install Watch Pro to catch every file added, modified, deleted, and every registry entry made or modified during installation. This helps to see what areas of the system the malware will affect and what other things it will call using the registry entries.

Other tools to use:

FileMon for Windows

ActivePorts Monitors all port activity. NOTE - Symantec incorrectly flags this program as a High security risk, because the API is publicly available and some malicious programs incorporate it for their bad purposes. Having the actual program is not any risk to your system in fact it's a well known security tool.

Process Explorer

These are just some of the tools you can use to see exactly what any Malware is doing in a system. This is how we find areas to fix these buggers, I used to do this to unknown new found files and report back what was found so developers could write fixes.

Share this post


Link to post
Share on other sites
:D Oh, yeah, Shanenin! Didn't know you had kids. :D That's the ticket!

And Limewire, too. But, MommaLiz says you have to tell the kids, no pron!

Sweepstakes.com comes up on a Google Search :D I've read that Poker Party is a nasty. Oh! Gator and Wild Tangent.

Liz

have a friend that had her partner install lamewire (limewire) on her laptop - told me that she was getting all these popups - told her to come to BT so that the experts can help her out - Limewore should screw the machine up somewhat hehehehe - just be careful :)

Brian

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...