Data Security: Resource


 Search Resources
Hot Words
Key Words
In Field

 By Chris Gudy
Abnormal Ways to Run Spyware in Windows
Spyware looks for ways to start automatically not only from normal technology, such registry, startup folder, and autostart file, but also from odd places that common developers seldom think of. If spyware is activated from normal technology, although it usually complicates the situation, the clue to analyzing how it runs is clear. The detectors have direction to effort, and the truth will be uncovered at last, because they know the principle and methods that are common and published in document.

However, if spyware use an informal way to start, and the informal way is so special that detectors never hear of it, to cancel it will become radically challengable. For this reason, more and more spyware is in favor of developing own special way to start automatically.

Special ways of automatic starting still depend on functionalities of Windows operating system. In other words, if Windows do not offer chances, spyware as a type of application software cannot create mechanism of automatic starting by itself. The reason that they are called special ways is that originally these chances or mechanisms provided by Windows is never used to activate a program, and no person, except developers of spyware, thinks of that they can be utilized to start automatically. On summarizing, a successful special ways must meet with two conditions.
  • A mechanism or vulnerability of Windows that can be exploited to start automatically is the first. Because operating system is very complex, there are certainly a lot of chances in it. For example, in Windows 95/98, the [shell=] command in system.ini allows users to change own shell program. Of course, this is not a position to activate software except shell program. But many hacker programs or backdoor programs exploit this chance. They use a false shell program to fraud operating system at [shell=] command, and in the false shell program they call own files that need to start automatically before calling real, namely original Explorer.exe, shell program.
  • The second is that the less people know this method, the more effective this method is. An excellent spyware always try to use new or rarely seen way to implement automatic starting. If a starting method is known by many programmers or used in many projects, basic ally, it is no longer special though it is an informal technology.

We will introduce some special methods of automatic starting in this section. Rigorously speaking, nowadays these ways are not special again, because they are employed in spyware repeatedly and most of anti-spyware has noticed them. But they are designed under the concept of special ways automatic starting, and their first applications in spyware definitely can be called special ways of automatic starting. That is, you cannot copy a real special ways from documents, materials, or books, but from your head. Nevertheless, to research those special ways in past will help you to get the rule or inspire of how to create own special way.


No matter whether you are fond of IE, IE actually is a part of Windows. Specially, IE almost is the unique tool to surf on Internet for Windows users. Spyware based on Windows have to pay more attention on IE. As a matter of fact, spyware indeed can implement a bunch of functionalities depending on features of IE. To start automatically is one of them, and is the base of them.

In fact, the mechanism of automatic starting from IE comes from Microsoft. As we know, IE itself is a powerful ActiveX, it can invoke other components with COM interface. To help application developers integrate their modules into IE, Microsoft offers the interface in public. That is, only you observe the regulations and specifications in relation to IE, you can create an object that is called Browser Helper Object (BHO). This program basically is a COM object. After registering it, you can connect it with the IE through a sub-key of registry. When IE is activated, all these kinds of objects will be loaded into memory, and communicate with IE. As far as automatic starting, developers never need other functionalities, such as communication. Only the program has a chance to run, it is enough to start spyware automatically.

For example, if spyware want to start a COM with BHO, it should:

Register this COM as: (The GUID is optional.)
Then, create a new sub-key named {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.

As long as IE is activated, all COM modules listed at this place will be loaded into memory, response messages from IE.


In the short history of spyware, a number of informal ways to start automatically appeared. In addition to those we discussed before, the rest ones are even more special. In general, it utilizes the vulnerability of operating system and habits of people to get its goal. Studying these methods will help you understand the techniques about how to start automatically, and inspire you to find new method for spyware. In this section, we will introduce how to use confused path to trick machine.

In Windows 95/98/ME, Explorer.exe is started through a system.ini entry
The real Explorer.exe is installed at the path of \$winpath\. If you know the sequence of searching objects in Windows, you surely understand why the opportunity is coming. Basically, developers can name own program as explorer.exe too, but put this false explorer.exe in root folder. If c:\explorer.exe exists, it will be started instead of c:\$winpath\explorer.exe. Only developers do not forget to invoke the real explorer.exe at the end of false explorer.exe, users definitely cannot feel the difference from before.

In Windows 2K/XP, as we mentioned before, the
At first, search the current directory. If the file is not found, search the directories specified in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path, in the order in which they are specified. If the file is still not found from all folders above, search the directories specified in HKEY_CURRENT_USER\Environment\Path, in the order in which they are specified.

Actually, utilizing rules about path to start automatically is more difficult to be uncovered. Perhaps you already notice that no sub-keys of registry or other start-up entries are needed to install an entrance of spyware as c:\explorer.exe. Of course, if developers continue to hack explorer.exe in spyware, maybe it is will caught immediately. However, supposed that you happen to get a similar file as explorer.exe, it is possible to implement an automatic starting just with a file in proper folder, but without any settings in system.