In general, spyware would be placed in a particular place when installing, whereas common software normally let user choose or create an independent folder or sub-folder to store. The first reason is that most of spyware is installed without confirmation of users, so they never provide any chance to users to choose place of storage...
|Latest Updated Resources|
|By Chris Gudy|
config.sys: It is used to load driver at computer boot.
autoexec.bat: It is used to call exe file, com file, and bat file after config.sys is processed.When the first Windows operating system appeared, it brought a new starting mechanism: ini file. Next, registry came, and it became more and more strong. Naturally, registry is the home of all saved information that is written by either system programs or user programs, starting information is only a part of it. Because Microsoft hopes that its all operating systems are able to be compatible with previous versions, this commercial requirement leads that new operating systems have to inherit those legacy mechanisms of startup. This is also an important reason why there are more and more starting ways in operating system of today. Some are developed to meet with new features of new operation system, and some are just to offer compatibility for previous software.
Win.ini file: This is the system file used to start programs under the older Windows 3.x systems. It has been included for compatibility with Windows 3.x. Windows 2K/XP do not use it again, but they still support it. In fact, this file contains information about initializing the operating system. The content about automatic starting is in section [windows]. Spyware can employ it in two ways. The first is to execute a program referred to in the file like: Run=[file name] and Load=[file name]. The second is to associate some suffix, for example doc, with a spyware that would run every time a file with such a suffix is executed. Basically, items in this section are grouped into two categories. The [Load] category starts programs before user logins, whereas the [Run] category starts programs after user logins.Because, this is a legacy file from early 16-bit Windows, the file name assigned to Run or Load has many limitations. By default, it is an empty string. If it is not an empty string, it must contain no blanks. Notice that composing of full file name in quotes is not admissible. In these values, several file names can be enumerated by comma. Usually they are used for drivers loading, but spyware also employs it occasionally. As we discussed before, in Windows operating systems after Windows NT, the content of this file are mapped into sub-key Software\Microsoft\Windows NT\CurrentVersion\Windows.
System.ini file: This file contains settings for hardware of system. Up to Windows 98, it supported the [shell=] command in [boot] section, which is used to specify a user shell to launch at system boot time. Its default value is Explorer.exe. As you guess, assigning the parameter with a new program will hack the machine. If developers use own file to substitute the Explorer.exe in this shell command, their file will definitely be activated. Usually after you do what you want to do, you should transfer the control to real Explorer.exe as soon as possible. Otherwise, this hacking will be discovered quickly. On recent Windows operation systems, such as 2K/XP, the shell command is ignored, though they still support System.ini.
Autoexec.bat: This file is relevant only on operating system before Windows 98. For backward compatibility, it supports launching programs by simply including a line that refers to the program file. If it is present, it will typically be located in root folder.
Winstart.bat: This file is normally used to start old DOS program in Windows environment. It is only in Windows 98 or previous versions. Spyware can include a line with the syntax @[program name] to run an executable. If it is present, it will typically be located in root folder.
Wininit.ini: This file is created with Setup programs when new software is installed and some action is required by the system to complete the installation after reboot. For example, when you install a new hardware driver, your install program might make you reboot the system. In order to continue after rebooting, you should write an entry in wininit.ini before shutdown. As the system is rebooting, this entry in wininit.ini will run some program during the boot process. In some cases, spyware might employ it. The file is effective on both Windows 95/98/ME and Windows 2K/XP.
Config.sys: This file is relevant only on operating systems before Windows 98.The later ones ignore it. This file loads low-level DOS-based drivers, and is not included on some Windows. If it is present, this file is usually located in root folder.Undoubtedly, autostart files as a kind of method to start automatically will become less and less useful in future spyware. In new Windows operating system, there is no more new autostart file to be added. As far as the existing files, Microsoft is trying to get rid off them from new systems. Even those that are saved are becoming less attractive than before, because they are not mysterious as in pervious. Nevertheless, spyware of today still exploits autostart files occasionally.