|
| |||||||||
| Tags: automatically, malware, safe |
Sponsored Links
Can Malware Automatically Startup in Safe Mode?
Windows Security
 |
| | Thread Tools | Search this Thread |
|
| |||||||||
| Tags: automatically, malware, safe |
|
| | Thread Tools | Search this Thread |
|
#1
01-12-2008
| |||
| |||
| Can Malware Automatically Startup in Safe Mode?
If so, how difficult would it be to accomplish? Your help is MUCH appreciated. Thanks- bye- Larry ---------------------------------------------------------------------- A working unsecure OS is infinitely better than non-working secure OS. Just spent 1 week cleaning up the mess WUpdate made preventing hypothetical security problems. http://microscum.com/comsense/  |
|
#2
01-12-2008
| |||
| |||
| Re: Can Malware Automatically Startup in Safe Mode?
From: "Larry(LJL269)" <NO@EMAIL.COM> | If so, how difficult would it be to accomplish? | Your help is MUCH appreciated. Thanks- bye- Larry Yes, it's easy. Just inject a DLL in a process that loads in both Normal and Safe Modes. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
|
#3
01-12-2008
| |||
| |||
| Re: Can Malware Automatically Startup in Safe Mode?
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: > From: "Larry(LJL269)" <NO@EMAIL.COM> > > | If so, how difficult would it be to accomplish? > > | Your help is MUCH appreciated. Thanks- bye- Larry > > Yes, it's easy. Just inject a DLL in a process that loads in both Normal and Safe Modes. Which process but injects this DLL? And who starts the injector process? Back to square one! Malware has to install a driver/service and create the necessary registry entries beyond [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\<driver/service>] to start automatically in safe mode, for example. Stefan |
|
#4
01-12-2008
| |||
| |||
| Re: Can Malware Automatically Startup in Safe Mode?
Safe Mode only reduces the number of programs run at startup to those needed by the OS and GUI. "Larry(LJL269)" <NO@EMAIL.COM> wrote in message news:en67j4lk0nr7qcb5044fpqjnpiph1cpo0i@4ax.com... > If so, how difficult would it be to accomplish? > > Your help is MUCH appreciated. Thanks- bye- Larry > > ---------------------------------------------------------------------- > > A working unsecure OS is infinitely better than non-working secure OS. > Just spent 1 week cleaning up the mess WUpdate made preventing > hypothetical security problems. http://microscum.com/comsense/ |
|
#5
01-12-2008
| |||
| |||
| Re: Can Malware Automatically Startup in Safe Mode?
From: "Stefan Kanthak" <postmaster@[127.0.0.1]> | Which process but injects this DLL? And who starts the injector | process? | Back to square one! A trojan dropper or trojan downloader may inject the process | Malware has to install a driver/service and create the necessary | registry entries | beyond | [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\<driver/service>] | to | start automatically in safe mode, for example. | Stefan One of *many* places to inject a DLL is... HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify Two others using EXE files are under... HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit C:\WINDOWS\system32\userinit.exe, malware_name.exe Shell Explorer.exe malware_name.exe -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
|
#6
02-12-2008
| |||
| |||
| Re: Can Malware Automatically Startup in Safe Mode?
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: > From: "Stefan Kanthak" <postmaster@[127.0.0.1]> > > > | Which process but injects this DLL? And who starts the injector > | process? > | Back to square one! > > A trojan dropper or trojan downloader may inject the process Yes. But this dropper/downloader needs to run then already, therefore it has to be started somehow. The OPs question was: is this possible in safe mode too? DLL injection does NOT start any malware in the first place, DLL injection is the result when malware uses this attack vector. > | Malware has to install a driver/service and create the necessary > | registry entries > | beyond > > | [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\<driver/service>] > > | to > | start automatically in safe mode, for example. ~~~~~~~~~~~ > | Stefan > > > One of *many* places to inject a DLL is... OK, so your definition of "DLL injection" differs from mine: I did not consider that "static" and more or less trivial way of DLL injection. > HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify In safe mode too? I don't know this for sure. > Two others using EXE files are under... > HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > > Userinit > C:\WINDOWS\system32\userinit.exe, malware_name.exe > > Shell > Explorer.exe malware_name.exe The latter not in "safe mode with command line only"! Stefan |
|
#7
02-12-2008
| |||
| |||
| Re: Can Malware Automatically Startup in Safe Mode?
From: "Stefan Kanthak" <postmaster@[127.0.0.1]> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: | Yes. But this dropper/downloader needs to run then already, therefore | it has to be started somehow. | The OPs question was: is this possible in safe mode too? | DLL injection does NOT start any malware in the first place, | DLL injection is the result when malware uses this attack vector. Yes. But once executed the damage is done and the modifications have been made. >> | Malware has to install a driver/service and create the necessary >> | registry | entries >> | beyond >> | | [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\<driver/service>] >> | to >> | | start automatically in safe mode, for example. | | ~~~~~~~~~~~ >> | Stefan >> One of *many* places to inject a DLL is... | OK, so your | definition of "DLL injection" differs from mine: I did | not consider that "static" and | more or less trivial way of DLL | injection. >> HKLM\SOFTWARE\Microsoft\Windows | NT\CurrentVersion\Winlogon\Notify | In safe mode too? I don't know this for sure. Sure. I only mentioned the Winlogon/Notify. Thaere are many starup points that can be done. Too many to elaborate on. >> Two others using EXE files are under... >> HKLM\SOFTWARE\Microsoft\Windows s | NT\CurrentVersion\Winlogon >> Userinit >> C:\WINDOWS\system32\userinit.exe, | malware_name.exe >> Shell >> Explorer.exe malware_name.exe | The latter not in "safe mode | with command line only"! | Stefan Maybe but Safe Mode with Command Prompt Only" is not the way a user would use the PC. It may be used for modifications or corrections but since it doesn't create a GUI nor load the OS fully, a PC user will not be using this mode on a daily or even monthly basis. The question was "Can Malware Automatically Startup in Safe Mode?" The answer is yes. With followup question "If so, how difficult would it be to accomplish?" The answer is it is not difficult at all. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
|
|
| Thread Tools | Search this Thread |
| |
Similar Threads for: "Can Malware Automatically Startup in Safe Mode?" | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Can't boot safe mode after cleaning up malware | Vedic | Networking & Security | 4 | 05-03-2011 12:06 AM |
| Unable to boot safe mode after cleaning up malware | Lobjeya | Networking & Security | 6 | 04-03-2011 10:13 AM |
| Pc Freezes At Startup And Can't Get Into Safe Mode | vaporub | Operating Systems | 1 | 25-08-2008 05:56 PM |
| Stuck in Safe Mode in Normal Startup mode need help! | Mike | Windows Vista Performance | 1 | 24-02-2008 04:28 PM |
| What's the difference between Safe Mode and Selective Startup | AJR | Windows XP Support | 3 | 18-08-2007 02:04 PM |
