RSS Feed for This PostCurrent Article

14 Windows Registry Commonly used by Malicious Adware

Download Sample

Most of us have the experience of after visiting certain websites, our IE settings like the main page, title or some of the Windows settings are changed. This happened specially in the early age of Internet usage. Now there are lots of tools that can help to prevent this, but it is important that as programmer or system engineer that you understand what are actually being changed by these malicious adware or spyware.

1. WshShell.RegWrite “HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableRegistryTools”,”1″ ,”REG_DWORD”

This is really bad. It prevents you from using Windows Registry tool anymore.

2. WshShell.RegWrite “HKCU\Software\Microsoft\Internet Explorer\Main\Start Page”,””, “REG_SZ”

This sets your IE start page to the desired website.

3. WshShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage”,”1″,”REG_DWORD”

This prevents you from changing IE home page.

4. WshShell.RegWrite “HKLM\Software\Microsoft\Internet Explorer\Main\Window Title”, “Your IE Title is changed”, “REG_SZ”

This changes your IE window title.

5. WshShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu”,”1″,”REG_DWORD”

This disables your browser right click context menu.

6. WshShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions”,”1″,”REG_DWORD”

This is bad ! You cannot use your Tool | Internet Options anymore

7. WshShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileOpen”,”1″,”REG_DWORD”

This prevents you from using File | Open

8. WshShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserSaveAs”,”1″,”REG_DWORD”

This prevents you from using File | Save As

9. WshShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Advanced”,”1″,”REG_DWORD”

This disables Tools | Internet Options | Advanced tab

10. WshShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab”,”1″,”REG_DWORD”

This hides Tools | Internet Options | Security tab

11. WshShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ResetWebSettings”,”1″,”REG_DWORD”

This disallows you to reset Web Settings

12. WshShell.RegWrite “HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource”,”1″,”REG_DWORD”

This disables you from viewing the page source.

13. WshShell.RegWrite “HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption”, “Hello!”,”REG_SZ”
WshShell.RegWrite “HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText”,”Your are hacked”,”REG_SZ”

This sets your Windows login legal notice caption and text

14. WshShell.RegWrite “HKCR\exefile\shell\open\command\”,”xx %1 %*”,”REG_SZ”

This is also bad ! It disables the computer from running any programs. If you are not familiar with the Registry, then you may have to re-install Windows!!

Trackback URL

1 Trackback(s)

  1. From 14 Windows Registry Commonly used by Malicious Adware « Yolanda’s Weblog | Nov 17, 2007

RSS Feed for This PostPost a Comment