Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

nOOb question on virus execution


  • Please log in to reply
2 replies to this topic

#1 Bat54@Bat

Bat54@Bat

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:55 AM

Posted 17 April 2013 - 03:49 PM

Hello,

 

I'm new to the site (was here last week to follow advice on getting the Bad Image Virus off my PC - Finally got it ! - Thanks a million) and am trying to learn as much as I can about these things.  I'm still not quite sure about the way they launch.

 

Is the following statement true:

 

Once my computer gets a virus and I disconnect from all external storage/networks and reboot my PC (in Safe mode probably) the ONLY way a virus can re-launch is from a registry entry or malware in my MBR?

 

 

 

Thanks for such a helpful website in advance.

 

Jack

 

 



BC AdBot (Login to Remove)

 


#2 TwinHeadedEagle

TwinHeadedEagle

  • Security Colleague
  • 350 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:03:55 PM

Posted 18 April 2013 - 05:51 AM

Majority of viruses have registry entry and corresponding file that runs when your system boot up. Your question is little confusing, but I will try to answer you.

 

Viruses spread across internet/network, removable drives and so on. Once when you infect with the dropper it will try to contact C&C server and to download more malware, this can vary from malware to malware, some of them have one or two components, and some of them several.

 

Yes, your statement is right. Simple malware has HKLM\...\Run or HKCU\...\Run entry and corresponding file/s that starts when your system boot up.

More advanced malware installs service or driver/module and purpose of service/driver is to protect executable malicious file from deleting.

The most severe malware makes hidden partition or drivers/modules that block installing any other service or driver.

 

Hope you understood, if you have more questions, feel free to ask...


Edited by TwinHeadedEagle, 18 April 2013 - 05:51 AM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:55 PM

Posted 18 April 2013 - 08:49 AM

Once my computer gets a virus and I disconnect from all external storage/networks and reboot my PC (in Safe mode probably) the ONLY way a virus can re-launch is from a registry entry or malware in my MBR?

Actually this is not true. If you have a patched file for example the registry and MBR can be completely clean, but the malware will still be executed. 

 

Or think about a startup file (which is not present in the registry) in %userprofile%\start menu\programs\startup; any file in that folder will be automatically executed. This is in fact a fairly commonly used startup method, for example Reveton ransomware uses it.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users