Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scanning specific registry keys for malware?


  • Please log in to reply
46 replies to this topic

#1 bcmo

bcmo

  • Members
  • 236 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 26 December 2017 - 10:29 AM

When exporting a registry key and uploading the .reg file to VirusTotal, does VirusTotal detect that it's a registry key and scan it as such, or does it just see it as a regular file with text in it (similar to what I'd see when opening it in Notepad) in which case it will always see it as clean, effectively rendering such a scan as useless?


Edited by hamluis, 26 December 2017 - 11:32 AM.
Moved from W10 Spt to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 26 December 2017 - 02:46 PM

I don't know of any anti-virus program that will recognize a .reg file and interpret it as an exported registry key.

AFAIK, anti-virus programs will handle this as a text file.

 

And if I'm not mistaken, binary data in the registry is exported as hexadecimal data.

My experience, is that most anti-virus programs do not recognize malware in hexadecimal format in text files.

 

Consider this simple experiment:

Here is the EICAR file: 60/62 detections on VirusTotal https://www.virustotal.com/#/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/detection

And here is the hexadecimal version of the EICAR file: 0/55 detections on VirusTotal https://www.virustotal.com/#/file/90fef16f6f7a4b6ed2dabd5c847c26a79da89fbccc62051ef6f21420ead1a296/detection


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 bcmo

bcmo
  • Topic Starter

  • Members
  • 236 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 26 December 2017 - 02:56 PM

So when AV programs claim to scan the whole registry as part of their "full system scan", are they really scanning each key and value for malware, or are they just looking through them as if they were notepad files with data?



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 26 December 2017 - 03:04 PM

That is different. Those AV programs will scan the registry via the win32 API, or via their own driver, or maybe even parse and scan the registry hive files (the binary files on disk that contain the registry).

 

Exported registry files via regedit (.reg files) do not exist on a computer, unless a user like you creates them.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 bcmo

bcmo
  • Topic Starter

  • Members
  • 236 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 26 December 2017 - 06:36 PM

Are there any DLL or EXE files in the "Windows" or "System32" folder that can be uploaded to VirusTotal to be scanned? (The most obvious would be "regedit.ext" but mine is only 328 KB so I'm not sure if that means that the actual data is stored somewhere else and that's just a program that can access it.)


Edited by bcmo, 26 December 2017 - 06:56 PM.


#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:53 PM

Posted 27 December 2017 - 08:44 AM

Please explain exactly what problems you are experiencing and why you believe there is a infection in the registry.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 27 December 2017 - 05:11 PM

Do you want to upload your registry files to VirusTotal? Is that why you ask about dll and exe?

Registry hives are not PE files (dll and exe).

 

And if that's what you want to do, consider that your registry might contain confidential data that you don't want to share by submitting it to VT.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 bcmo

bcmo
  • Topic Starter

  • Members
  • 236 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 27 December 2017 - 06:42 PM

I found three weird registry keys in HCU, the source of which I can't identity.

I scanned my computer (respectively) with: Avast Free, Bit Defender Free, Malwarebytes, Malwarebytes Anti Rootkit, Hitman Pro, SuperAntiSpyware, AdwCleaner, and JRT. They all show my computer as clean and none of them flagged these registry keys.

I also can't find them in Auto Runs, and they don't show up in the two logs that a FRST scan yields.

 

Here are the three separate keys:

 

---------------------

 

Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\镈ᔧ꘨ᔧᨰ᠁]
"cl"=dword:00000003
 
[HKEY_CURRENT_USER\镈ᔧ꘨ᔧᨰ᠁\cache2]
 
[HKEY_CURRENT_USER\镈ᔧ꘨ᔧᨰ᠁\ext]
 
---------------------
 
Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲倮獡睳牯獤慖汵䅴敧]
"cl"=dword:00000003
 
[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲倮獡睳牯獤慖汵䅴敧\cache2]
 
[HKEY_CURRENT_USER\潣⹭癡獡⹴灩⹭汃敩瑮慐慲敭整獲倮獡睳牯獤慖汵䅴敧\ext]
 
---------------------
 
Windows Registry Editor Version 5.00
 
[HKEY_CURRENT_USER\鶠ᚓ鲀ᚓԵ_]
"cl"=dword:00000003
 
[HKEY_CURRENT_USER\鶠ᚓ鲀ᚓԵ_\cache2]
 
[HKEY_CURRENT_USER\鶠ᚓ鲀ᚓԵ_\ext]
 
---------------------


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 28 December 2017 - 05:29 AM

When I decode the string (that looks like Chinese characters in your second example) from UNICODE to ASCII, I get this:

 

com.avast.ipm.ClientParameters.PasswordsVaultAge

 

Does this ring a bell?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 bcmo

bcmo
  • Topic Starter

  • Members
  • 236 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 28 December 2017 - 12:19 PM

Wow, how did you do that? I tried in Google Translate and they couldn't decode that.

Avast passwords isn't installed (wish I could post a screen clipping here). And why would that have a registry entry with foreign characters separate from the regular Avast registry location?



#11 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:53 PM

Posted 28 December 2017 - 12:29 PM

How to make a screenshot and post it in your topic

1. Download and run A Thousand Words .

2. Follow the wizard to capture a screenshot.

3. Use the built-in editor to resize, edit, or re-capture your screen shot.

4. Your screen shot will be saved to your desktop when you finish the wizard.

You can post the screenshot in your next post as an attachment.

Just below the area where you write text in a post there is the Post button, to the right of this is More Reply Options.

posting-options1.png

When you click on More Relpy Options you will see Attach Files and Browse, click on Browse, this will open Pictures on your computer, click on the image you want to post, then click on Attach This File, then Add Reply.

posting-options2.png


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#12 bcmo

bcmo
  • Topic Starter

  • Members
  • 236 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 28 December 2017 - 12:43 PM

How to make a screenshot and post it in your topic

...

Thanks, though the "prt sc" button and Windows Paint for re-sizing is quicker.

This doesn't exist here:
posting-options2.png

Edited by bcmo, 28 December 2017 - 12:46 PM.


#13 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,165 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:06:53 PM

Posted 28 December 2017 - 12:47 PM

This forum does, indeed, allow attachments.  If you hit the "More Reply Options" button to bring up the full editor, rather than the mini one, you will see the "Attach Files" section immediately below the compose area of the screen.

 

If you know how to use the PrtSc button and MS Paint I am with you that it's easier to go that route.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

      Memory is a crazy woman that hoards rags and throws away food.

                    ~ Austin O'Malley

 

 

 

              

 


#14 bcmo

bcmo
  • Topic Starter

  • Members
  • 236 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 28 December 2017 - 01:13 PM

I don't know what to say, by me it isn't here, and because I can't post an attachment, I can't demonstrate that it's not here (catch 22 there).

 

But going back to the matter above, any ideas on decoding the other two keys and why that one is there if it's from Avast?

 

Thank you all.



#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 28 December 2017 - 01:53 PM

There are many tools to convert from UNICODE to ASCII. I used a binary editor. You can probably do this online too.

 

I also tried to convert the 2 other strings, but they are not ASCII.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users