Many different malware tend to patch or insert entries into the Windows Registry in order to be automatically launched after each reboot.
And the number of “creative” ideas these malware authors come up with doesn’t seem to cease anytime soon. Nowadays, we see that the methods of installation are getting more elaborate and tricky.
Lets take an example of a recent USB worm that was analysed by SophosLabs – W32/Autorun-BBI. It goes about creating a registry entry for itself in the following two separate steps:
The worm first copies itself to <System>\WormNameOnDisk.exe and creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run "conime.exe" "conime.exe"
So, at first glance, the worm creates a registry entry for the program “conime.exe” to be launched upon Windows logon. Now “conime.exe” is a legitimate Microsoft application and it doesn’t get patched in any dodgy way by this worm.
What could be the purpose of this modification?
The trick lies in the creation of the second registry entry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\conime.exe "Debugger" "WormNameOnDisk.exe"
In this instance, Windows will associate a debugger application “WormNameOnDisk.exe” with the module “conime.exe”. When the module is run, Windows will in turn run the debugger application, thereby causing the worm to run indirectly.
The only question left: How many registry tricks like this are possible?