Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress Debates Anti-Spyware Bill

Posted by timothy on from the officialization-has-a-downside dept.

Spy der Mann writes "An anti-spyware bill could clear the U.S. House of Representatives as early as next week, but there are disagreements on how to define the term 'spyware.' A wrong decision could end up in two opposite directions: Either a law too restrictive for legitimate companies, or a "safe harbor" for some malicious spyware distributors. Could this become another CAN-SPAM?"

1 of 180 comments (clear)

  1. Re:whisky tango foxtrot by Anonymous Coward · · Score: 5, Informative
    its real easy to see what auto starts, 2 registry keys and one folder in the start menu

    Um, no:

    Some info from http://www.nohack.net/methods.htm


    1. Start Menu\Programs\StartUp {English}
      The Shell=Explorer.exe line in system.ini
      The load= line in win.ini Under the [windows] section.
      The run= line in win.ini Under the [windows] section.
      Hkey_Local_Machine\Software\Microsoft\Wi ndows\Curr entVersion\Run
      Hkey_Local_Machine\Software\Micros oft\Windows\Curr entVersion\RunOnce
      Hkey_Local_Machine\Software\Mi crosoft\Windows\Curr entVersion\RunOnceEx
      Hkey_Local_Machine\Software\ Microsoft\Windows\Curr entVersion\RunServices
      Hkey_Local_Machine\Softwar e\Microsoft\Windows\Curr entVersion\RunServicesOnce
      Hkey_Local_Machine\Sof tware\\Microsoft\Windows\Cur rentVersion\RunOnceEx\000x "RunMyApp"="||notepad.exe"
      Hkey_Current_User\Soft ware\Microsoft\Windows\Curre ntVersion\Run
      Hkey_Current_User\Software\Microsof t\Windows\Curre ntVersion\RunOnce
      Hkey_Current_User\Software\Micr osoft\Windows\Curre ntVersion\RunServies
      The [386enh] section of system.ini (this includes the scrnsave.exe= line in system.ini which can be used to run things on your system.
      The [boot] section of system.ini (this includes the scrnsave.exe= line in system.ini which can be used to run things on your system
      The IOSUBSYS folder (drivers load automatically)
      The VMM32 folder (drivers that take precedence over those built into vmm32.vxd)
      config.sys
      autoexec.bat
      winstart.bat
      wininit.ini

    That's 20(!), and I havent' even gotten into stuff like this:

    [HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
    The key should have a value of Value "%1 %*".
    Backdoor example:
    [HKEY_CLASSES_ROOT\exefile\shell\open\co mmand] @="\"trojan.exe %1\" %*"

    With such registry entries, the trojan.exe is executed each time an *.exe is executed. /blockquote .. and there are versions of that for .com, .bat, .hta, .pif.

    And of course, "If a trojan installs itself as c:\explorer no run keys or other start-up entries are needed."

    So, quit the BS about " 2 registry keys and one folder".