CLASSIC WAY TO RUN SPYWARE IN WINDOWS
|By Chris Gudy|
config.sys: It is used to load driver at computer boot.
autoexec.bat: It is used to call exe file, com file, and bat file after config.sys is processed.
Win.ini file: This is the system file used to start programs under the older Windows 3.x systems. It has been included for compatibility with Windows 3.x. Windows 2K/XP do not use it again, but they still support it. In fact, this file contains information about initializing the operating system. The content about automatic starting is in section [windows]. Spyware can employ it in two ways. The first is to execute a program referred to in the file like: Run=[file name] and Load=[file name]. The second is to associate some suffix, for example doc, with a spyware that would run every time a file with such a suffix is executed. Basically, items in this section are grouped into two categories. The [Load] category starts programs before user logins, whereas the [Run] category starts programs after user logins.
System.ini file: This file contains settings for hardware of system. Up to Windows 98, it supported the [shell=] command in [boot] section, which is used to specify a user shell to launch at system boot time. Its default value is Explorer.exe. As you guess, assigning the parameter with a new program will hack the machine. If developers use own file to substitute the Explorer.exe in this shell command, their file will definitely be activated. Usually after you do what you want to do, you should transfer the control to real Explorer.exe as soon as possible. Otherwise, this hacking will be discovered quickly. On recent Windows operation systems, such as 2K/XP, the shell command is ignored, though they still support System.ini.
Autoexec.bat: This file is relevant only on operating system before Windows 98. For backward compatibility, it supports launching programs by simply including a line that refers to the program file. If it is present, it will typically be located in root folder.
Winstart.bat: This file is normally used to start old DOS program in Windows environment. It is only in Windows 98 or previous versions. Spyware can include a line with the syntax @[program name] to run an executable. If it is present, it will typically be located in root folder.
Wininit.ini: This file is created with Setup programs when new software is installed and some action is required by the system to complete the installation after reboot. For example, when you install a new hardware driver, your install program might make you reboot the system. In order to continue after rebooting, you should write an entry in wininit.ini before shutdown. As the system is rebooting, this entry in wininit.ini will run some program during the boot process. In some cases, spyware might employ it. The file is effective on both Windows 95/98/ME and Windows 2K/XP.
Config.sys: This file is relevant only on operating systems before Windows 98.The later ones ignore it. This file loads low-level DOS-based drivers, and is not included on some Windows. If it is present, this file is usually located in root folder.