Worms and viruses often use Win.INI or System.INI in the Windows directory for storing information, or stimulating loading and runs.
There are several very fast ways to check INI files on bootstrap, on shutdown, logon or periodicaly.
Two INI files that should not be there
First the easy ones, there are two INI files that are used for Windows setups, DELETFI.INI and WININIT.INI. In general operations, that is unless something has been installed since the last run, these files should not be there.
This is particularly easy to test for in AutoExec.bat, a Logon Script, a script to be run periodially or at shutdown. the statements would look something like this.
Code:
if exist c:\windows\wininit.ini edit c:\windows\wininit.ini
if exist c:\windows\deletefi.ini edit c:\windows\deletefi.ini
Note: change c:\windows as apppropriate for your system.
This example which puts the files on the screen is for a more professional user, the general user should go to an area in the script that alerts the user and if the policy says to, prevents Logon, or further use.
INI files Viruses often use
Changes to WIN.INI or SYSTEM.INI are suspiscious, but not a clear indication of infection of you are using a network, e.g. for networked printers.
On a home system that is not networked there should never be changes. Such a system can call any change in the INI files a problem state. This is a particularly easy test if one just takes copies of the INI files to a save directory then one can use the script statements:
Code:
:check system.ini
fc c:\windows\system.ini c:\ininsav\system.ini >compdat
find "***" compdat
if not errorlevel 1 goto problem state
fc c:\windows\win.ini c:\ininsav\win.ini >compdat
find "***" compdat
if not errorlevel 1 goto problem state
Note: This clumsy FC/Find/If Errorlevel approach is explained in the FAQ on Registry checks. Much better to use a bettter file compare program that returns an Errorlevel directly.
Code:
Fcomp c:\windows\win.ini c:\ininsav\win.ini
if errorlevel 1 goto Problem_state
Systems that change their INI files without viruses
LANs or networked devices generally change the INI files to reflect defaults and last use, so changing printers will alter WIN.ini, but only in some regions.
For these workstations we need a program that can eliminate segments of the INI files before compare. This is not difficult as INI file processing is a standard technique for application programming.
There are not many INI file alterations that Viruses use at the moment. A short list, thought to be but not necessarily complete is: [ul] [li]WIN.INI, key [WINDOWS], item RUN [li]WIN.INI, key [WINDOWS], item LOAD [li]SYSTEM.INI, key [BOOT], item SHELL=EXPLORER.EXE [/ul]
Detecting changes in these three keys alone will detect an incursion from:
Win.ini
[tt]
BadTrans Bymer Cool Feliz Gokar Haiku
LoveLetter Magistr NPad P lage2000 Ptsnoop SubSeven
Verlor Wallpaper Yaha.E
[/tt]
System.ini
[tt]
Babylonia Bymer Feliz LoveLetter MTX
Magistr MoSucker Mylife Nimda Ptsnoop
SK-TECH SubSeven Toal Y2KCount
[/tt]
Actually there is another I should add as of late August, 2002, but even this list is sufficient considering how fast and easy it is to scan the INI files on boot, logon, shutdown or periodically.
