×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Security, hacker detection & forensics FAQ

Securing Desktops

Securing Desktops from INI file changes from Viruses or Worms by jnicks
Posted: 23 Aug 02



Worms and viruses often use Win.INI or System.INI in the Windows directory for storing information, or stimulating loading and runs.

There are several very fast ways to check INI files on bootstrap, on shutdown, logon or periodicaly.


Two INI files that should not be there

First the easy ones, there are two INI files that are used for Windows setups, DELETFI.INI and WININIT.INI.  In general operations, that is unless something has been installed since the last run, these files should not be there.

This is particularly easy to test for in AutoExec.bat, a Logon Script, a script to be run periodially or at shutdown.  the statements  would look something like this.


  if exist c:\windows\wininit.ini  edit c:\windows\wininit.ini
  if exist c:\windows\deletefi.ini edit c:\windows\deletefi.ini


Note: change c:\windows as apppropriate for your system.

This example which puts the files on the screen is for a more professional user, the general user should go to an area in the script that alerts the user and if the policy says to, prevents Logon, or further use.


INI files Viruses often use


Changes to WIN.INI or SYSTEM.INI are suspiscious, but not a clear indication of infection of you are using a network, e.g. for networked printers.

On a home system that is not networked there should never be changes. Such a system can call any change in the INI files a problem state.  This is a particularly easy test if one just takes copies of the INI files to a save directory then one can use the script statements:


:check system.ini
fc c:\windows\system.ini  c:\ininsav\system.ini >compdat
  find "***" compdat
  if not errorlevel 1 goto problem state

fc c:\windows\win.ini  c:\ininsav\win.ini >compdat
  find "***" compdat
  if not errorlevel 1 goto problem state


Note: This clumsy FC/Find/If Errorlevel approach is explained in the FAQ on Registry checks.  Much better to use a bettter file compare program that returns an Errorlevel directly.


 Fcomp c:\windows\win.ini  c:\ininsav\win.ini
 if errorlevel 1 goto Problem_state



Systems that change their INI files without viruses


LANs or networked devices generally change the INI files to reflect defaults and last use, so changing printers will alter WIN.ini, but only in some regions.

For these workstations we need a program that can eliminate segments of the INI files before compare.  This is not difficult as INI file processing is a standard technique for application programming.

There are not many INI file alterations that Viruses use at the moment.  A short list, thought to be but not necessarily complete is:
  • WIN.INI, key [WINDOWS], item  RUN
  • WIN.INI, key [WINDOWS], item  LOAD
  • SYSTEM.INI, key [BOOT], item  SHELL=EXPLORER.EXE


Detecting changes in these three keys alone will detect an incursion from:

Win.ini

  BadTrans    Bymer      Cool    Feliz     Gokar    Haiku
  LoveLetter  Magistr    NPad P  lage2000  Ptsnoop  SubSeven
  Verlor      Wallpaper  Yaha.E


System.ini

  Babylonia     Bymer      Feliz    LoveLetter    MTX
  Magistr       MoSucker   Mylife   Nimda         Ptsnoop
  SK-TECH       SubSeven   Toal     Y2KCount



Actually there is another I should add as of late August, 2002, but even this list is sufficient considering how fast and easy it is to scan the INI files on boot, logon, shutdown or periodically.

Back to Security, hacker detection & forensics FAQ Index
Back to Security, hacker detection & forensics Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close