FIND LOCATIONS: MALWARE

Almost all malware will install in similar directories in order to execute and propagate throughout a victim’s computer. These are some of the more common directories in which malware will install itself on Microsoft Windows (multiple versions)

• ApplicationData%\Microsoft\
• %System%\[FileName].dll
• %Program Files%\Internet Explorer\[ FileName].dll
• %Program Files%\Movie Maker\[ FileName].dll
• %All Users Application Data%\[ FileName].dll
• %Temp%\[ FileName].dll
• %System%\[ FileName].tmp
• %Temp%\[ FileName].tmp

Affecting Processes of all malware will attempt to hook system and user processes in order to operate behind the scenes and also attempt to prevent the victim from quickly identifying its activity. These are typical system and user processes affected by malware found.

• explorer.exe
• services.exe
• svchost.exe

This is will attempt to disable operating system features in order to continue to execute and propagate.

• Windows Automatic Update Service (wuauserv)
• Background Intelligent Transfer Service (BITS)
• Windows Security Center Service (wscsvc)
• Windows Defender Service (WinDefend)
• Error Reporting Service (ERSvc)
• Windows Error Reporting Service (WerSvc)

Here are some of most common Registry locations where malware will install itself on a victim’s computer in order to execute and propagate.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\