A really quick way to determine whether or not an executable is malicious is the location from which it is executing. While further investigation is always necessary, you can usually give a quick cursory glance to the file and determine that there is *something* malicious about it just by where it resides.
Windows, like Unix operating systems, is a multi user system. Applications and files can be owned and executed by different users on the system to help limit access to user-specific data, while allowing shared access to common resources. One very common trait of these types of systems is the existence of home folders. For the longest time, Windows has stored its home folders in “C:\Documents and Settings”. However, beginning with Windows Vista this has now simply been changed to “C:\Users”.
Focusing more on the modern variants of Windows, you will find that certain types of data get written to different locations based on which users need access to that data. User-specific information, such as documents, or user-specific cache, get written to C:\Users\%USERNAME%\AppData. Using UAC terminology, medium integrity processes which execute as the user have write permissions to the user’s entire %USERNAME% folder.
Interestingly, the aforementioned Application Data folder is also hidden by default. You will very commonly find malware executing from somewhere inside.
A couple of common traits of modern malware:
- Executes from C:\Users\%USERNAME%\AppData\Roaming (or Local)
- Execute’s from %TEMP% (C:\Users\%USERNAME\AppData\Local\Temp
- Execute’s from Temporary Internet Files (C:\Users\%USERNAME\AppData\Local\Temporary Internet Files)
- Usually includes a randomly generated name, e.g. dUsjanjddureue.exe
- Maintains persistence within the user’s registry, HKCU\Software\Microsoft\Windows\Current Version\Run
If your antivirus does not flag executables with the above characteristics I would highly recommend submitting the sample to your AV vendor, booting from a different account (The local Administrator account works here), or safe mode, and removing the registry entry.
Many of these malicious programs are bundled with root kits, such as TDSS. Unfortunately I’m not as well versed in discovering root kits beyond running a few utilities to check files, but I will have a write-up on that once I learn more about how to track these files down.