 |
 |
Security |  |
||||||||||||||||||||||||||||
|
• Greatis | |
|
• AppDatabase | |
 |
|
• Utilities | |
|
|
• Delphi/CB | |
|
|
• Visual Basic | |
|
|
• .NET | |
|
|
• just4fun | |
||||||
|
|||||||||||||||||||||||||||||||
RegRun Security Suite
|
Windows Explorer Redirection DLLS is a new dangerous Windows startup hole
Recently Greatis security team tested the W32/Almanahe.c virus. The detailed description of the virus described can be found here: http://www.greatis.com/appdata/d/n/nvmini.sys.htm The virus uses the different ways of auto starting with Windows boot:
Virus creates the file "linkinfo.dll" and puts the file into the Windows folder. The normal "linkinfo.dll" was made by Microsoft is stored in the Windows\System32 folder. Why the Windows shell "explorer.exe" loads the "linkinfo.dll" from non-standard place? Good question! We researched the file and registry changes made by the virus and found nothing. After that we put the virus file "linkinfo.dll" into the Windows folder on a clean computer and found that explorer.exe loads infected version of the "linkinfo.dll". We tried to copy "linkinfo.dll" from the System32 folder to the Windows folder and we see that the Windows Explorer.exe uses "linkinfo.dll" from Windows folder again.
The computer may be infected by simply copying virus file to the Window folder without making changes in the system settings (registry or configuration files) or changing the Windows system files. A Trojan software need to get the write right in the Windows folder. But usually it's not a problem. Power users and administrators have full rights to the Windows folder. Windows File Protection does not help you.
Windows 2000, XP(SP1,SP2,SP3), 2003, Vista(SP1), 2008 Server. Vista UAC prevents a user from creating files in the Windows folder but it may be easily skipped.
Microsoft MSDN information: "The standard DLL search order:
We can see that the first place where "Explorer.exe" searches the DLLs is the directory from which the application loaded. But the explorer.exe is stored in the Windows folder. It is a source of the problem! Explorer.exe searches the DLL in its current folder: Windows folder. Is not a local problem with linkinfo.dll only! We investigated the DLLs loaded by explorer.exe at the Windows boot and found that 20 DLLs under Windows XP and 46 DLLs under Windows Vista may be redirected. We do not publish the list of the affected DLLs but anyone can easy get it using own investigation.
 RegRun 5.8 and UnHackMe 4.8 automatically detects redirected DLLs and allows to remove it from your computer during executing of "Scan for Viruses".
The perfect way is a fixing security hole in the explorer.exe by the developers of the Windows. We offer a workaround. The Windows registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs contains the list of the DLLs "known" to the system. The DllDirectory value contains the path to the folder where the DLLs are stored. It's a Windows\System32 folder by default. If we add the redirected DLL names to the KnownDLLs registry key, the Windows "explorer.exe" will load DLLs from the right place. The Raymond Chen from Microsoft wrote an article "The Known DLLs Balancing Act". He warns against changing the KnownDLLs registry key, because it may change the system performance. We tested the performance in Windows 2000/XP/Vista after adding investigated DLL names to the KnownDLLs and we found no problems with system boot and performance. But you shoould know that if you use that protection method at your own risk.
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs- To restore from backup you need open "Protect" window as described above and click on the "Unprotect" button. Otherwise, you may use your registry editor for restore backup key. Conclusion Download RegRun Reanimator (free of charge, no ads): http://www.greatis.com/reanimator.zip Suggest you to use RegRun Platinum Edition to be sure that you are clean! Good luck!
Dmitry Sokolov
Would you like to add your opinion?
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
