{"id":1266,"date":"2012-09-16T13:13:39","date_gmt":"2012-09-16T13:13:39","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1266"},"modified":"2014-09-20T22:22:53","modified_gmt":"2014-09-20T22:22:53","slug":"beyond-good-ol-run-key-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/09\/16\/beyond-good-ol-run-key-part-2\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 2"},"content":{"rendered":"<p>In my previous <a title=\"Beyond good ol\u2019 Run key\" href=\"https:\/\/www.hexacorn.com\/blog\/2012\/07\/23\/beyond-good-ol-run-key\/\">post<\/a> I described various less-known autoruns mechanisms that can be utilized by malware. This post follows-up on some of the ideas I have described there and lists another batch of applications providing features that could be potentially used by malware authors. This is not to scaremonger users of these applications &#8211;\u00a0 the features described here are actually very useful and needed, and certainly developed in the best interest of the users. Still, they are potential avenues for developing hidden autostart so with &#8216;the better evil known than unknown&#8217; in mind, here it goes:<\/p>\n<p><strong>Winrar archiver<\/strong><\/p>\n<p>Allows to define external viewer:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winrar1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1270\" title=\"winrar1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winrar1-300x251.png\" alt=\"\" width=\"300\" height=\"251\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winrar1-300x251.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winrar1.png 490w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The value is stored under the following registry location:<\/p>\n<ul>\n<li>HKEY_CURRENT_USER\\Software\\WinRAR\\Viewer\\ExternalViewer<\/li>\n<\/ul>\n<p>The other user-defined value worth remembering of is the AV scanner integration;<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winrar4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1271\" title=\"winrar4\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winrar4-300x228.png\" alt=\"\" width=\"300\" height=\"228\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winrar4-300x228.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winrar4.png 309w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>stored in the registry under the following path:<\/p>\n<ul>\n<li>HKEY_CURRENT_USER\\Software\\WinRAR\\VirusScan\\Name<\/li>\n<\/ul>\n<p><strong>\u00a0WinZip Archiver<\/strong><\/p>\n<p>WinZip allows for creating Self-extracting archives, the task can be accomplished with a help of an externally defined application:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1272\" title=\"winzip1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip1-300x229.png\" alt=\"\" width=\"300\" height=\"229\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip1-300x229.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip1.png 626w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The value is stored under:<\/p>\n<ul>\n<li>HKEY_CURRENT_USER\\Software\\Nico Mak Computing\\WinZip\\programs\\zip2exe<\/li>\n<\/ul>\n<p>Other interesting values:<\/p>\n<ul>\n<li>HKEY_CURRENT_USER\\Software\\Nico Mak Computing\\WinZip\\programs\\viewer<\/li>\n<li>HKEY_CURRENT_USER\\Software\\Nico Mak Computing\\WinZip\\programs\\vviewer<\/li>\n<\/ul>\n<p>Winzip in version 10 and earlier allowed for an antivirus scan same way as WinRar. This feature has been removed from newer versions as explained in this <a href=\"http:\/\/kb.winzip.com\/kb\/?View=entry&amp;EntryID=44\">article<\/a>. The users of old WinZip 10 could define the path to various external programs including antivirus, executable for creating Self-extracting .exes, viewer, as well as 3 external applications to handle old 16-bit archivers ARJ, LHZ and ARC.<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip10_2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1288\" title=\"winzip10_2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip10_2-300x223.png\" alt=\"\" width=\"300\" height=\"223\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip10_2-300x223.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip10_2.png 575w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The user-defined values could be found in Registry:<\/p>\n<ul>\n<li>HKEY_CURRENT_USER\\Software\\Nico Mak Computing\\WinZip\\programs\\arc<\/li>\n<li>HKEY_CURRENT_USER\\Software\\Nico Mak Computing\\WinZip\\programs\\arj<\/li>\n<li>HKEY_CURRENT_USER\\Software\\Nico Mak Computing\\WinZip\\programs\\lha<\/li>\n<li>HKEY_CURRENT_USER\\Software\\Nico Mak Computing\\WinZip\\programs\\scan<\/li>\n<li>HKEY_CURRENT_USER\\Software\\Nico Mak Computing\\WinZip\\programs\\viewer<\/li>\n<li>HKEY_CURRENT_USER\\Software\\Nico Mak Computing\\WinZip\\programs\\zip2exe<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip10_4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1289\" title=\"winzip10_4\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip10_4-300x123.png\" alt=\"\" width=\"300\" height=\"123\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip10_4-300x123.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/winzip10_4.png 757w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Internet Download Manager<\/strong><\/p>\n<p>Downloading files from the internet is certainly not a safe operation and IDM allows to define what application will be executed and act an external AV scanner upon a file download:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/idm1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1273\" title=\"idm1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/idm1-243x300.png\" alt=\"\" width=\"243\" height=\"300\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/idm1-243x300.png 243w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/idm1.png 436w\" sizes=\"(max-width: 243px) 100vw, 243px\" \/><\/a><\/p>\n<p>The actual value is stored here:<\/p>\n<ul>\n<li>HKEY_CURRENT_USER\\Software\\DownloadManager\\VScannerProgram<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/idm2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1274\" title=\"idm2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/idm2-300x126.png\" alt=\"\" width=\"300\" height=\"126\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/idm2-300x126.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/idm2.png 768w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Download Accelerator Plus (DAP)<\/strong><\/p>\n<p>The very same functionality is present in DAP:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/dap1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1282\" title=\"dap1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/dap1-300x242.png\" alt=\"\" width=\"300\" height=\"242\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/dap1-300x242.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/dap1.png 590w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>and the value is stored here:<\/p>\n<ul>\n<li>HKEY_CURRENT_USER\\Software\\SpeedBit\\Download Accelerator\\AntiVirusEXE<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/dap2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1283\" title=\"dap2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/dap2-300x115.png\" alt=\"\" width=\"300\" height=\"115\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/dap2-300x115.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/dap2.png 674w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>\u00a0Orbit Downloader<\/strong><\/p>\n<p>Another popular downloader also offers the antivirus scan functionality:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/orbit1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1284\" title=\"orbit1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/orbit1-300x279.png\" alt=\"\" width=\"300\" height=\"279\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/orbit1-300x279.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/orbit1.png 539w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>This time the user-defined value is stored not in Registry, but in a configuration file:<\/p>\n<ul>\n<li>%USERPROFILE%\\Application Data\\Orbit\\conf.dat<\/li>\n<\/ul>\n<p style=\"padding-left: 60px;\">e.g.<\/p>\n<p style=\"padding-left: 60px;\">c:\\Documents and Settings\\user\\Application Data\\Orbit\\conf.dat<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/orbit2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1285\" title=\"orbit2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/orbit2-300x122.png\" alt=\"\" width=\"300\" height=\"122\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/orbit2-300x122.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/orbit2.png 757w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>\u00a0Windows Live Messenger<\/strong><\/p>\n<p>Instant Messenger applications also allow for defining applications that will be executed upon arrival of a file from the other users of IM. Such setting is present in WLM as well:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1275\" title=\"WLM1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM1-259x300.png\" alt=\"\" width=\"259\" height=\"300\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM1-259x300.png 259w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM1.png 529w\" sizes=\"(max-width: 259px) 100vw, 259px\" \/><\/a><\/p>\n<p>The actual value is stored under MSNMessnger branch:<\/p>\n<ul>\n<li>HKEY_CURRENT_USER\\Software\\Microsoft\\MSNMessenger\\AntiVirus<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1276\" title=\"WLM2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM2-300x56.png\" alt=\"\" width=\"300\" height=\"56\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM2-300x56.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM2.png 937w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The value is stored as a binary and in this case data is just an UnicodeZ string<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1277\" title=\"WLM3\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM3-300x263.png\" alt=\"\" width=\"300\" height=\"263\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM3-300x263.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/WLM3.png 365w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p><strong>Miranda<\/strong><\/p>\n<p>Another popular IM that offers antivirus scan is Miranda:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/miranda1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1278\" title=\"miranda1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/miranda1-300x242.png\" alt=\"\" width=\"300\" height=\"242\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/miranda1-300x242.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/miranda1.png 648w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>the value is stored in a file in the following location:<\/p>\n<ul>\n<li>%USERPROFILE%\\Application Data\\Miranda\\PROFILEFOLDER\\PROFILEFILENAME.dat<\/li>\n<\/ul>\n<p style=\"padding-left: 60px;\">e.g.<\/p>\n<p style=\"padding-left: 60px;\">c:\\Documents and Settings\\user\\Application Data\\Miranda\\foo\\foo.dat<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/miranda2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1279\" title=\"miranda2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/miranda2-300x54.png\" alt=\"\" width=\"300\" height=\"54\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/miranda2-300x54.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/09\/miranda2.png 650w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>It took around 2 hours to download all these applications, test them and write this blog entry. Not a thorough and very advanced research as you can see, but this is what it takes to find new stuff. If you have some spare time and like (or want to learn how) to write a new RegRipper plugin, perhaps now it&#8217;s a good time to give it a go \ud83d\ude42 Thanks for reading!<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my previous post I described various less-known autoruns mechanisms that can be utilized by malware. This post follows-up on some of the ideas I have described there and lists another batch of applications providing features that could be potentially &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/09\/16\/beyond-good-ol-run-key-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1266"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1266"}],"version-history":[{"count":10,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1266\/revisions"}],"predecessor-version":[{"id":2284,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1266\/revisions\/2284"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}