Trojan Start Up Methods

Trojans need to use a start up method to enable them to start when a computer is rebooted. We have compiled a list of various start up methods. There may be some methods we have missed, but in general this list will help people find the trojan start up method and stop the trojan restarting.

Autostart folder
All items in the autostart folder will autostart

Win.ini
[windows]
load=trojanserver.exe
run=trojanserver.exe

System.ini
[boot]
Shell=Explorer.exe trojanserver.exe

Autoexec.bat
c:\trojan.exe

Registry Shell open
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
A key with the value "%1 %*", will be executed each time you execute a .exe file. "trojanserver.exe %1 %*" .

Alternate Registry Keys
[HKEY_CLASSES_ROOT\.exe] @="myexefile"]
[HKEY_LOCAL_MACHINE\Software\CLASSES\myexefile\shell\open\command\ @="trojanserver.exe %1 %*"]
winstart.bat
A batch file that autostarts with windows.

Main Registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]

wininit.ini
This file is called upon when windows loads, it is then deleted.

Click here to subscribe our FREE weekly computer security newsletter.