Windows XP A to Z - http://www.softwaretipsandtricks.com/windowsxp
Random startup entry and filename viruses
http://www.softwaretipsandtricks.com/windowsxp/articles/594/1/Random-startup-entry-and-filename-viruses
Super Admin
 
By Super Admin
Published on 03/28/2005
 
There are viruses and other pests that can add any number of different entries to the startups.

Random startup entry and filename viruses

There are viruses and other pests that can add any number of different entries to the startups. They make additional entries under the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\ Run and RunOnce keys, allowing them to run at startup. In all cases below, %system% is a variable - by default this is C:\Windows\System (Win9x/Me), C:\Winnt\System32 (WinNT/2K), or C:\Windows\System32 (WinXP):

  1. PE_BISTRO - adds "XXXX"="C:\WINDOWS\XXXX.EXE" - where XXXX is the randomly chosen filename of the dropped file
  2. MAGISTR.A - adds "[Virus file name]"="[Virus Path and file name].EXE"
  3. BUGBEAR.A or BUGBEAR.C or BUGBEAR.E - adds ""=%System%\"[random filename].EXE"
  4. OPTIXPRO.11 - adds "%Registry entry%"="%Path%\%Filename%"
  5. Lop.com homepage hijacker - adds multiple and random startup entries
  6. FreeScratchAndWin - adds multiple and random startup entries as it includes LOP above
  7. nCase (or n-Case) parasite - adds multiple and random startup entries
  8. LORAC - adds "[four random characters]"="%Sysdir%\abcdef.exe"
  9. MOSUCK - random name and filename in C:\Windows or C:\Winnt
  10. DEBORMS.D - adds one of a number of valid Name/Startup Item entries but points to the path of the worm file dropped
  11. GIBE.C - adds random name and filename in C:\Windows or C:\Winnt
  12. SWEN.A - adds random name and filename
  13. ZOMBAM.B - adds random name and filename
  14. WANADO or REUR - adds "XXXXXXXX"="%Sysdir%\XXXXXXXX.exe" where X can be any random hexadecimal (0-9, A-F) number
  15. SINCOM - adds random name and filename in C:\Windows or C:\Winnt with "Run:Auto" appended to the command/data column entry
  16. SOBER family - adds "[random string]"="%system%\[random filename.exe]"
  17. BRANCOS.C - adds "win_[4 random characters][4 random numbers 0-9]"="%System%\SYS_386X\[4 random characters][4 random numbers 0-9].exe"
  18. IRC.BOT.B - adds random name and filename
  19. COREFLOO-C - adds "[random filename]"="rundll32 %SYSTEM% [random filename].dll,Init 1"
  20. [random digits].exe = [random digits].exe - 8 random digits, example: 77231997.exe = 77231997.exe. Winpup.exe adult content downloader
  21. DRAGONQQ - "[Trojan's filename]"="[Path to the Trojan]", "[Random name]"="C:\WINNT\[Random name].exe", "[Random name]"="C:\Program Files\[Random name].exe" or "[Random name]"="C:\WINDOWS\[Random name].exe"
  22. FORMADOR - adds "[executed file name]"="%System%\[executed file name].exe"
  23. NETTRASH - adds "[file name]"="[path to filename].exe"
  24. OPTIXPRO.13B - adds "[registry value name]"="[path to trojan].exe"
  25. MYDOOM.F or MYDOOM.G or MYDOOM.H - adds "[4 to 8 random, lowercase letters]"="[worm filename]"
  26. ANNIL - adds random name and filename
  27. ANTINNY.G and ANTINNY.K - adds "[random name]"="[path to worm]"
  28. KILLAV.D - adds "[Trojan filename]"="%Windir%\[Trojan file name]" where %Windir% is C:\Windows or C:\Winnt
  29. MYPOO - adds "[value name]"="[Trojan file name]" where [value name] is configurable
  30. BLACKMAL or BLACKMAL.B - adds "[random_file_name1].exe"="%System%\[random_file_name1].exe"
  31. ERKEX.A - adds "[random_file_name]"="%System%\[random_file_name].exe"
  32. OPASA - adds "[random_file_name]"="%System%\[random_file_name].exe"
  33. GAOBOT.ADN - adds random name and filename
  34. ADWAHECK - adds "[trojan name]"="%System%\[trojan filename]"
  35. GOBOT.A - adds random name and filename in C:\Windows or C:\Winnt
  36. Sandboxer adware - adds random name and filename
  37. AGENT.B - adds "[1-5 random characters]"="RUNDLL32 %System%\[DLL filename].dll,StreamingDeviceSetup"
  38. EXRUNTEL - adds "[original filename]"="%System%\[original filename]"
  39. Margoc adware - adds random name and filename
  40. Winpup adware - adds random name and filename in %System%
  41. KETCH - adds "[word]"="%System%\[word][number].exe"
  42. DARBY.B - adds "[random worm filename]"="%System%\[random worm filename]"
  43. VUNDO - adds "*[trojan name]"="[trojan path]"
  44. BEAKER.A - adds "[5 random lower-case char]"="[5 random lower-case char].exe" in the System, system32, Temp and Fonts sub-directories of %Windir%
  45. LIFEFORENOW - adds "[random filename]"="%System%\[random filename].exe"
  46. DIMI - adds "[random value name]"="%System%\[random filename].exe"
  47. ABEBOT - adds "[random service name]"="[random filename].exe -services"
  48. OMEGA - adds "[random value]" = "%Windir%\[random file name].exe"
  49. NAMSHARE - adds "[Random service name]" = "[Random file name]"
  50. REANET.B - adds "[file name]" = "[path to file name]"
  51. BANCOS.Q - adds "[filename prefix]" = "[path to filename]"
  52. SPYBOTER.GEN - adds "[key name]" = "[file name of Trojan]"
  53. BOTUK - adds "[random characters]Srv32" = "[random characters]srv.exe"