Windows Explorer Redirection DLLS is a new dangerous Windows startup hole

History of the problem

Recently Greatis security team tested the W32/Almanahe.c virus.
The detailed description of the virus described can be found here:
https://www.greatis.com/appdata/d/n/nvmini.sys.htm
The virus uses the different ways of auto starting with Windows boot:
  •  Driver;
  •  Autorun.inf on the hard drive;
  •  File infection.
But we found that the virus uses a new Windows startup hole, not detected by RegRun/UnHackMe.
Virus creates the file "linkinfo.dll" and puts the file into the Windows folder.
The normal "linkinfo.dll" was made by Microsoft is stored in the Windows\System32 folder.

Why the Windows shell "explorer.exe" loads the "linkinfo.dll" from non-standard place?

Good question!
We researched the file and registry changes made by the virus and found nothing.
After that we put the virus file "linkinfo.dll" into the Windows folder on a clean computer and found that explorer.exe loads infected version of the "linkinfo.dll".
We tried to copy "linkinfo.dll" from the System32 folder to the Windows folder and we see that the Windows Explorer.exe uses "linkinfo.dll" from Windows folder again.

Why it is dangerous?

The computer may be infected by simply copying virus file to the Window folder without making changes in the system settings (registry or configuration files) or changing the Windows system files.
A Trojan software need to get the write right in the Windows folder. But usually it′s not a problem. Power users and administrators have full rights to the Windows folder.
Windows File Protection does not help you.

Affected Systems

 Windows 2000, XP(SP1,SP2,SP3), 2003, Vista(SP1), 2008 Server.
Vista UAC prevents a user from creating files in the Windows folder but it may be easily skipped.

Technical Details

Microsoft MSDN information:

"The standard DLL search order:
  1. The directory from which the application loaded.
  2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path."

We can see that the first place where "Explorer.exe" searches the DLLs is the directory from which the application loaded.
But the explorer.exe is stored in the Windows folder.
It is a source of the problem!

Explorer.exe searches the DLL in its current folder: Windows folder.
Is not a local problem with linkinfo.dll only!

We investigated the DLLs loaded by explorer.exe at the Windows boot and found that 20 DLLs under Windows XP and 46 DLLs under Windows Vista may be redirected.
We do not publish the list of the affected DLLs but anyone can easy get it using own investigation.

Removal


RegRun 16.60.2024.1023 and UnHackMe 11.91 automatically detects redirected DLLs and allows to remove it from your computer during executing of "Scan for Viruses".

Protection

The perfect way is a fixing security hole in the explorer.exe by the developers of the Windows.

We offer a workaround.

The Windows registry key
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
contains the list of the DLLs "known" to the system.

The DllDirectory value contains the path to the folder where the DLLs are stored. It′s a Windows\System32 folder by default.

If we add the redirected DLL names to the KnownDLLs registry key, the Windows "explorer.exe" will load DLLs from the right place.

The Raymond Chen from Microsoft wrote an article "The Known DLLs Balancing Act". He warns against changing the KnownDLLs registry key, because it may change the system performance.

We tested the performance in Windows 2000/XP/Vista  after adding investigated DLL names to the KnownDLLs and we found no problems with system boot and performance.
But you shoould know that if you use that protection method at your own risk.

How to setup protection?


  1. Open RegRun Start Control or Reanimator.
  2. Open "Reanimator" in the main menu and choose the "Protect" item.
  3. Click on the Protect button.
RegRun automatically make backup of current KnownDLLs registry key to the:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs-

To restore from backup you need open "Protect" window as described above and click on the "Unprotect" button.
Otherwise, you may use your registry editor for restore backup key.

Conclusion

Download RegRun Reanimator (free of charge, no ads):
www.greatis.com/reanimator.zip
Suggest you to use RegRun Platinum Edition to be sure that you are clear!
Good luck!
Dmitry Sokolov
Add or See Comments (>10)
}