From; Panda Oxygen3 24h-365d wrote: "Words are the small change of thought." Jules Renard (1864-1910); French writer and dramatist. - Malware activation techniques - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, May 14, 2004 - Today's Oxygen3 24h-365d will look at the most common techniques used by malware(*) to activate themselves. The first types of malicious code were activated when a user executed an infected file or, in the case of boot viruses, when the computer read an infected floppy disk. Viruses that infect files try to copy themselves to all the executable files stored on all drives, including the operating system files. By doing this, when the computer is started up or an application is launched, the virus can activate itself in memory and carry out its actions. A typical example of a virus that ensures that it is activated whenever the computer is started up is Lehigh, which only infects the COMMAND.COM, the command interpreter that starts MS-DOS. Boot viruses work in a similar way, as when an infected floppy disk is read, they are activated and infect the boot sector of the hard disk. Once they have done this, whenever the operating system is started up from the hard disk, the virus will be activated in memory and will infect any floppy disk used on the computer. When Windows was launched, the number of viruses using these techniques to spread decreased. Nowadays, the most widespread malware are Internet worms and Trojans with the capacity to create backdoors. These ensure that they are run whenever the system starts up by inserting a key with a reference to the infected executable file in the Windows Registry, like the following: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run This key contains references to legitimate applications that are run whenever Windows is started, but can also contain a call to a Trojan or worm. A recent example is the Sasser.B worm, which is activated by the following entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve2.exe = %windir%\avserve2.exe The entries in this key can be viewed or deleted through the REGEDIT.EXE application, which allows access to all the entries in the Windows Registry. (*) Malware: programs, documents or messages liable to have negative effects on IT systems. ------------------------------------------------------------ The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's free online scanner: 1) Sasser.ftp; 2) Netsky.P; 2); 3) Qhost.gen; 4) Briss.A; 5) Netsky.D. *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member