Start-up programs - Random entries

There are many viruses, malware and other pests that can add any number of different entries to the startups. They make additional entries under the registry "Run" keys (such as HKLM\Run, RunOnce, RunServices & RunServicesOnce and HKCU\Run, RunOnce, RunServices & RunServicesOnce) allowing them to run at startup. A number of examples are shown below and in all cases %System% refers to the System folder; by default this is C:\Windows\System (Me/9x), C:\Winnt\System32 (2K/NT), or C:\Windows\System32 (7/Vista/XP):

• PE_BISTRO - adds "XXXX"="C:\WINDOWS\XXXX.EXE" - where XXXX is the randomly chosen filename of the dropped file
• MAGISTR.A - adds "[Virus file name]"="[Virus Path and file name].EXE"
• BUGBEAR.A or BUGBEAR.C or BUGBEAR.E - adds "[random string]"=%System%\"[random filename].EXE"
• OPTIXPRO.11 - adds "%Registry entry%"="%FilePath%\%Filename%"
• Lop.com homepage hijacker - adds multiple and random startup entries
• FreeScratchAndWin - adds multiple and random startup entries as it includes LOP above
• LORAC - adds "[four random characters]"="%System%\abcdef.exe"
• MOSUCK - random name and filename in C:\Windows or C:\Winnt
• DEBORMS.D - adds one of a number of valid Name/Startup Item entries but points to the path of the worm file dropped
• GIBE.C - adds random name and filename in C:\Windows or C:\Winnt
• SWEN.A - adds random name and filename
• ZOMBAM.B - adds random name and filename
• WANADO or REUR - adds "XXXXXXXX"="%System%\XXXXXXXX.exe" where X can be any random hexadecimal (0-9, A-F) number
• SINCOM - adds random name and filename in C:\Windows or C:\Winnt with "Run:Auto" appended to the command/data column entry
• SOBER family - adds "[random string]"="%System%\[random filename.exe]"
• BRANCOS.C - adds "win_[4 random characters][4 random numbers 0-9]"="%System%\SYS_386X\[4 random characters][4 random numbers 0-9].exe"
• IRC.BOT.B - adds random name and filename
• COREFLOO-C - adds "[random filename]"="rundll32 %System% [random filename].dll,Init 1"
• [random digits].exe = [random digits].exe - 8 random digits, example: 77231997.exe = 77231997.exe. Winpup.exe adult content downloader
• DRAGONQQ - "[Trojan's filename]"="[Path to the Trojan]", "[Random name]"="C:\WINNT\[Random name].exe", "[Random name]"="C:\Program Files\[Random name].exe" or "[Random name]"="C:\WINDOWS\[Random name].exe"
• FORMADOR - adds "[executed file name]"="%System%\[executed file name].exe"
• NETTRASH - adds "[file name]"="[path to filename].exe"
• OPTIXPRO.13B - adds "[registry value name]"="[path to trojan].exe"
• MYDOOM.F or MYDOOM.G or MYDOOM.H - adds "[4 to 8 random, lowercase letters]"="[worm filename]"
• ANNIL - adds random name and filename
• ANTINNY.G and ANTINNY.K - adds "[random name]"="[path to worm]"
• KILLAV.D - adds "[Trojan filename]"="%Windir%\[Trojan file name]" where %Windir% is C:\Windows or C:\Winnt
• MYPOO - adds "[value name]"="[Trojan file name]" where [value name] is configurable
• BLACKMAL or BLACKMAL.B - adds "[random_file_name1].exe"="%System%\[random_file_name1].exe"
• ERKEX.A - adds "[random_file_name]"="%System%\[random_file_name].exe"
• OPASA - adds "[random_file_name]"="%System%\[random_file_name].exe"
• GAOBOT.ADN - adds random name and filename
• ADWAHECK - adds "[trojan name]"="%System%\[trojan filename]"
• GOBOT.A - adds random name and filename in C:\Windows or C:\Winnt
• Sandboxer adware - adds random name and filename
• AGENT.B - adds "[1-5 random characters]"="RUNDLL32 %System%\[DLL filename].dll,StreamingDeviceSetup"
• EXRUNTEL - adds "[original filename]"="%System%\[original filename]"
• Margoc adware - adds random name and filename
• Winpup adware - adds random name and filename in %System%
• KETCH - adds "[word]"="%System%\[word][number].exe"
• DARBY.B - adds "[random worm filename]"="%System%\[random worm filename]"
• VUNDO - adds "*[trojan name]"="[trojan path]"
• BEAKER.A - adds "[5 random lower-case char]"="[5 random lower-case char].exe" in the System, system32, Temp and Fonts sub-directories of %Windir%
• LIFEFORENOW - adds "[random filename]"="%System%\[random filename].exe"
• DIMI - adds "[random value name]"="%System%\[random filename].exe"
• ABEBOT - adds "[random service name]"="[random filename].exe -services"
• OMEGA - adds "[random value]" = "%Windir%\[random file name].exe"
• NAMSHARE - adds "[Random service name]" = "[Random file name]"
• REANET.B - adds "[file name]" = "[path to file name]"
• BANCOS.Q - adds "[filename prefix]" = "[path to filename]"
• SPYBOTER.GEN - adds "[key name]" = "[file name of Trojan]"
• BOTUK - adds "[random characters]Srv32" = "[random characters]srv.exe"
• MADTOL-A - adds "[trojan filename]" = "%System%\[trojan filename]"
• HESIVE - adds "[trojan filename]" = "[path to trojan]"

Back to Startups - Database

Copyright © Pacman's Portal, 2001 - 2013
Powered by Malwarebytes
All rights reserved