Tutorial:
Autostart Methods are methods by which programs start automatically with Windows. Trojans and Viruses often do this to stay running on a target computer. Some of those ways are obvious such as placing the executable or a shortcut to it into the startup folder, but there are other methods that are not well known by many average users.
1. Startup Folder - The startup folder is the most basic way of getting an executable to start with windows. This method is easy to detect and will be found, if the method is used I would sugest to have a backup startup method as well, but if the files is found the admin or owner will probably check his system well any way. The default startup folder for windows 9x & ME is found at:
C:\windows\start menu\programs\startup
Windows 2000, XP, 2003 users should use:
C:\Documents and Settings\Administrator\Start Menu\Programs
2. Win.ini & System.ini - The Win.ini & System.ini methods are old favorites from older viruses and trojans, because these methods are not that common these days it might be a good idea to use them because there are less users that will know to check the two files.
The files are located in c:\windows\ or c: \winnt\ depending on the version of windows and where it is installed, it could be another location as well if the user modified the default install location.
To use Win.ini to auto start your trojan first open Win.ini with a text editor find [windows] or add it if its not there and then add (making sure path is right:)
load=trojan.exe
run=trojan.exe
System.ini is very simple too, first open System.ini in notepad and then find [boot] in the text or add it if it's not there and add:
Shell=Explorer.exe trojan.exe
3. Winstart.bat on older systems - Winstart.bat will start with windows every time the computer boots on older machines. Any command prompt commands can be used in the batch file.
4. Registry - The Registry is probably the most popular way of auto starting trojans, worms and viruses today. Most people do not know how to remove registry entries or how to even find them via regedit.
To make software run automaticaly a string can be added to either of the following registry keys:
[HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RunOnce]
For the above keys all you have to do is add a string with the name you want and the data of the path to your exe, the format is:
[Name] | [Type] | [Data]
Example:
Windows Update | REG_SZ | C:\Windows\System32\myvirus.exe
Another registry key to use is:
[HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\CurrentVersion\RunOnceEx\000x]
To use it you should add a string like you have before but instead of using a path use:
||myvirus.exe
The exe should be in the System32 directory.
You can also use registry export files, here is an example of such a file (you could test this out just save the text in notepad as test.reg and double click it:)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run]
"WindowsUpdate"="c:\\windows\\system32\ \trojanz.exe"
Once you run that code a string with the name of WindowsUpdate with the data of C:\Windows\System32\trojanz.exe will be added to the registry for automatic startup.
5. There are other methods out there that can be found by messing around with windows and other applications which may be system dependent. Such as one application being used to start.