Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing Desktops from INI file changes from Viruses or Worms

Securing Desktops

Securing Desktops from INI file changes from Viruses or Worms

by  jnicks  Posted    (Edited  )


Worms and viruses often use Win.INI or System.INI in the Windows directory for storing information, or stimulating loading and runs.

There are several very fast ways to check INI files on bootstrap, on shutdown, logon or periodicaly.


Two INI files that should not be there

First the easy ones, there are two INI files that are used for Windows setups, DELETFI.INI and WININIT.INI. In general operations, that is unless something has been installed since the last run, these files should not be there.

This is particularly easy to test for in AutoExec.bat, a Logon Script, a script to be run periodially or at shutdown. the statements would look something like this.

Code: 
  if exist c:\windows\wininit.ini  edit c:\windows\wininit.ini
  if exist c:\windows\deletefi.ini edit c:\windows\deletefi.ini

Note: change c:\windows as apppropriate for your system.

This example which puts the files on the screen is for a more professional user, the general user should go to an area in the script that alerts the user and if the policy says to, prevents Logon, or further use.


INI files Viruses often use


Changes to WIN.INI or SYSTEM.INI are suspiscious, but not a clear indication of infection of you are using a network, e.g. for networked printers.

On a home system that is not networked there should never be changes. Such a system can call any change in the INI files a problem state. This is a particularly easy test if one just takes copies of the INI files to a save directory then one can use the script statements:

Code: 
:check system.ini
fc c:\windows\system.ini  c:\ininsav\system.ini >compdat
  find "***" compdat
  if not errorlevel 1 goto problem state

fc c:\windows\win.ini  c:\ininsav\win.ini >compdat
  find "***" compdat
  if not errorlevel 1 goto problem state

Note: This clumsy FC/Find/If Errorlevel approach is explained in the FAQ on Registry checks. Much better to use a bettter file compare program that returns an Errorlevel directly.

Code: 
 Fcomp c:\windows\win.ini  c:\ininsav\win.ini
 if errorlevel 1 goto Problem_state


Systems that change their INI files without viruses


LANs or networked devices generally change the INI files to reflect defaults and last use, so changing printers will alter WIN.ini, but only in some regions.

For these workstations we need a program that can eliminate segments of the INI files before compare. This is not difficult as INI file processing is a standard technique for application programming.

There are not many INI file alterations that Viruses use at the moment. A short list, thought to be but not necessarily complete is: [ul] [li]WIN.INI, key [WINDOWS], item RUN [li]WIN.INI, key [WINDOWS], item LOAD [li]SYSTEM.INI, key [BOOT], item SHELL=EXPLORER.EXE [/ul]

Detecting changes in these three keys alone will detect an incursion from:

Win.ini
[tt]
BadTrans Bymer Cool Feliz Gokar Haiku
LoveLetter Magistr NPad P lage2000 Ptsnoop SubSeven
Verlor Wallpaper Yaha.E
[/tt]

System.ini
[tt]
Babylonia Bymer Feliz LoveLetter MTX
Magistr MoSucker Mylife Nimda Ptsnoop
SK-TECH SubSeven Toal Y2KCount
[/tt]


Actually there is another I should add as of late August, 2002, but even this list is sufficient considering how fast and easy it is to scan the INI files on boot, logon, shutdown or periodically.
Register to add this FAQ to your archive
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top