Pradeepa Chandramohan - Virus Hunting

fallsnowpeasInternet and Web Development

Nov 12, 2013 (3 years and 9 months ago)



Presented by

Pradeepa Chandramohan


Developer’s machine is much more prone to virus attacks than an average
corporate user because developers access different servers and other remote

More security than anti
virus software is required.

Most viruses today disable the anti
virus software as their first step in the

virus software are good at keeping us safe from known threats.

To look out for viruses, it is necessary to think like a virus writer. A basic
understanding of viruses and the most common areas through which they
enter the system is required to deal with them.

Preparing to do battle

Author writes the executable code.

What is the author’s intention

Reformatting hard drive? Delete JPG files?
Mail copies of itself to yourself and your contacts?

Usually, a virus executable code is run in the direct method. Some user
receives an e
mail attachment called “Fun.exe” or some equally appealing
name. The virus is released when this code is run.

days less obvious techniques have been adopted.

What constitutes an Executable code?

.exe, .cmd, .com are all examples of executable files.

Word processing documents contain macros to perform customized tasks

UNSAFE!!! Macros can run unsafe code.

In general, executable code falls into three categories: stand alone programs,
code included within resources or libraries, and script or macro code executed
by an interpreter of some kind.

A stand alone program is any file that relies on the operating system for it to
execute. To examine which of these are affected by virus we need to examine
the windows registry.

Launch the Registry Editor, regedit.exe and expand the
HKEY_CLASSES_ROOT (HKCR) node, which is the Operating System’s
repository for information on file associations and commands.

Navigate down the tree until you locate the key named .exe. Select this node,
its default value is exefile. This is a pointer to another key under HKCR (the
exefile key).

What constitutes an Executable code? (Contd..)

The exefile key contains a shell subkey where a file type’s available actions are
defined. These are called ‘verbs’. For example, In a Word document, ‘print’ is
a verb.

Expand the shell subkey for the exe file node to view available verbs for EXE

The key to be considered is ‘open’. Expand this node and select its command
subkey. Each verb has its own subkey and each of those keys inturn has its
own command subkey. The default value in this subkey dictates what exactly
happens when that verb is executed.

Double clicking an icon executed the default verb’s command (‘open’ for
EXE files)

‘open’ command verb has the value: %1 %*. The path and the filename of the
EXE file activated are substituted for the %1 parameter, while any switches
or command line parameters that go along with it are passed through the %*

All files like .com, .pif, .vbs, .cmd have a default open verb of %1.



Default value of ‘open’ verb for EXE file is “%1” %* and for SCR
(Screensaver) file is “%1” /S.

The only difference between these two default verbs is the /S switch for the
SCR file type.

Intended purpose of screensaver’s ‘open’ verb is to allow for testing a
screensaver and the screensaver executable interprets the /S switch

A virus writer gives the application a .SCR extension and just ignores the /S
switch passed to it when user invokes the program.

Screensaver’s ‘open’ verb is shown as ‘Test’ in the context menu. User thinks
he is just testing a screensaver, while actually activating a virus. This caption is
stored in the default value for the open key. This should be changed to open
and test. This way the user realizes that when they select that menu item, any
executable code inside the screensaver is going to execute and is therefore

Libraries can be dangerous

Executable code may be contained inside resources or component libraries of
many different varieties.

These file types include Dynamic Link Libraries (DLL), Control Panel
Applets (CPL), various type libraries (TLB, OLB, etc), ActiveX Controls &
COM components (OCX, VBX, etc).

Consider the following example:

rundll32.exe shell32.dll,OpenAs_RunDLL c:

The OpenAs_RunDLL function exported from SHELL32.DLL accepts one
parameter, a file name.

When invoked, it displays the Open With Dialog Box. When OK is clicked
after selecting an application, the filename passed as a parameter is opened in
the target application.

Two possible attacks can be expected. One would be to replace an existing
DLL with a compromised version in which a particular function’s
functionality is modified.

Libraries can be


This way, whenever the system invokes this function, instead of having the
desired result, virus gets activated.

Another approach would be to write a DLL from scratch and invoke its
functions using RUNDLL32.EXE when needed.

This is not quite straight forward but it is most likely to be accepted by an
unsuspecting user or to be overlooked by an anti
virus program.

Scripts & Macros

Script code requires a script engine to interpret and run, but it can still be

Macros contained in Microsoft office documents are the ones that are most
frequently exploited.

Windows Script Host (WSH) files, .js or .vbs files carry a default file
association which causes them to be executed, when a user double clicks

Solution would be to change the default action from “open” to “edit” to
avoid any accidents. This can be done by using the Folder Options dialog

Registration files

Files with REG extension (registration files) hold information to be integrated
to the system registry.

They carry a default verb of “open” with the caption “Merge”. If any
registration file is double clicked, it dumps its contents directly into the
system registry, without any confirmation.

Solution would be to change the default verb for REG file from “open” to

Scrap Objects

Scrap objects (SHS & SHB file extensions) are particularly risky. They can
hide executable code, often overlooked by anti
virus software.

Ensure that anti
virus program includes both file types. Usually either one is

Another reason is that the SHS and SHB extension are always hidden by
Explorer. So a virus writer could create a scrap object and add their own
extension. For example, ‘Funny.jpg’ while its actual filename is

Solution would be to delete the “NeverShowExt” registry value from both
keys or select the “Always show Exension” option in the Folder Options
Dialog Box.


First step in dealing with virus is to understand them and to know where to
untangle them from your system once it has been compromised.

More sophisticated the virus, more aggressive they are towards anti