Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 434
  • Last Modified:

How can some processes run behind the scenes?

I'm familiar with processes that run as applications and others that run as a service.  I don't understand the gorey details involved here but I know that if I want to disable either one, I can usually do so from MSConfig, the registry, or the services console.

But explain to me how a virus like SmitFraud can run underneath these types of processes, or shall we say overtop.  SmitFraud will actually start in safe mode.  It isn't in any of the run or runonce keys and isn't defined as a service in the services.  So where is it?

I did have to deal with this virus the other day and found a removal tool that worked well.  Just wish I could understand where such a process resides.  I believe that some security software and internet content filtering software use this same scheme.  I find them very undetectable, other than the obvious results that show on your screen, if any do.
  • 4
  • 3
  • 2
  • +1
3 Solutions
HKComputerAuthor Commented:
Does it take a common .DLL found on windows machines and replace it with a new maclicious one?  But similar enough to run "as normal", fairly much so!?
yep, it adds itself to that file.
Yes, many traditional viruses work like that, by modifying legit files. However, there are many other ways as well:

(1) Rootkits: The malware installs a bunch of programs, and a low-level driver that intercepts system calls and modifies them such that those files (and the driver itself) are hidden from view. For example, when you try to look for files with Windows Explorer, it hides the files that are in certain folders. When you look with Msconfig or even Regedit, it hides certain registry entries. The malware becomes "invisible" with all traditional tools. The only ways to detect it are by looking for it after attaching the drive to another clean system, or by special programs like RootkitRevealer.

(2) ActiveX controls and dlls: These are not programs by themselves, but pieces of executable code that are run on demand by other legit programs. As such, you will  not find them listed in Task Manager or Msconfig. A popular target is Internet Explorer.

(3) By modifying networking files, such as the Hosts file, or the network dll's, to steer you to Adware web sites.

The fact is that there are well over 50 places in the Registry where malware can get launched from, and the Run and RunOnce keys are just the tip of the iceberg. Msconfig shows only a small fraction. Autoruns from is much better, but even that can miss some.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to and use offer code ‘EXPERTS’ to get 10% off your first purchase.

HKComputerAuthor Commented:
Am I losing my mind?  A user had posted something on this one about SmitFraud that I'm not seeing now, just before my first comment.  Where did it go?  I happen to have a copy of it in my email although I altered the last line:

Comment from Todd_Bunch
Date: 06/16/2006 07:49AM PDT

Smitfraud is a spyware program that infects the Windows file WININET.DLL with the virus detected as W32/Smitfraud.A.

The infected DLL (Dynamic Link Library) hooks all the calls to the function HttpSendRequest, and as a result the spyware is able to log the web pages accessed by the user and send this information to a server, or download and run a file that installs a so-called antispyware program on the computer, stealthily and without user consent.

This program changes the Windows Desktop to a picture that simulates a Windows fatal error, warning users that they have been affected by Trojan-Spy.HTML.Smitfraud.c. These kind of messages attempt to trick users into purchasing the fake antispyware program.

Smitfraud is installed in the affected computer by an adware program, detected as CWS.YEXE, which is usally gotten by visiting some adult sites or installing software from file sharing networks.

I do have a question yet.  When we talk about an infected dll, I thought a dll is compiled just like an exe.  So does the virus:

(A) Replace the original dll
(B) Dynamically alter the code that exists in the dll, on the fly? (seems impossible)
(C) Install a file that intercepts all calls to a certain dll
HKComputerAuthor Commented:
I appreciate the administrative comment and you are forgiven. :-)

If you feel to further modify this page now, go ahead.

Todd_Bunch was informed straightaway after I deleted his post on 06/17/2006 06:53AM PDT

Don't know why he didn't post again with the synopses or the link to his source.
Yes, I too noticed the original comment was gone, but just thought it was some database problem at EE.

Here is my thought on your most recent question (hoping rpggamergirl does not delete it :))

(A) Replace original dll - This can be done by a virus. It is normally not possible to replace system dll's because they are in use by the system, but some are not, and others can be replaced at boot time by having malware that works in tandem. Since Win/2000, the Windows File Protection (WFP) feature has made it harder to replace system dll's, but I it is certainly not impossible.

(B) alter the code that exists in the dll - this is the common way in which viruses used to work, and is still possible, though slightly more tricky because of WFP. Do a search for "code injection" and you'll find plenty of examples. Before the days of fast networks and large updates, most system patches were distributed this way.

(C) Install a file that intercepts all calls to a certain dll - A clear example of this is the following quote from Mark Russinovich (see links below):
"One method used by many root kits to hide malware is to scan a process's import table and replace the references to key system DLL functions with pointers to root kit functions that it implements in its own DLL or that it has written directly into the address space of the process. After a process has been hooked in this manner, known as DLL import hooking,"

So, to summarize, all three of the above are possible, and in fairly wide use. And there are many other tricks in addition to the above three that malware writers are using.

Some links:

Article by Mark Russinovich:
My most sincere apology for making a post without adding the link. It will not happen again, being new to this forum and wanting to contribute I made the mistake of copying and pasting the answer to a problem without giving credit to the source.

This is the link to the source information 

rpggamergirl, I tried to respond to your message but the e-mail was returned.

HKComputerAuthor Commented:
This particular topic is one that fascinates me, but it's so far out of my realm that I didn't really know where to start reading.

What I like about EE is that I can ask a question like this and then without having to read through a whitepaper that is 11 pages long and bores you to tears with details that are above your head, I'm able to get answers from other people who are reading the 11-page whitepapers (and somehow not bored to tears) and I get short but detailed answers to such questions.  It's great!

Thanks to the volunteers at EE.
>>rpggamergirl, I tried to respond to your message but the e-mail was returned.<<
I have no idea why it didn't reach me, anyway don't worry about it.

>>I made the mistake of copying and pasting the answer to a problem without giving credit to the source. <<
It happens to many people that are just starting at EE, no harm done.
Please keep on answering Questions and don't be put off because of little mistake, we all do.
Your contributions to EE is very much appreciated!,  
Have fun! :)

Yes EE is great and thanks to the Experts who volunteer and share their expertise to help the Askers.
"I didn't really know where to start reading"

Just noticed this statement. The link by M.Russinovich I posted above is a great place to start.

Another site though maybe a bit technical is though be careful if you download something, it may infect your PC :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now