Real One, phoning home and the reappearing startup program.
From: Barry Dorrans (barryd@BANN.CO.UK)Date: 04/29/02
- Previous message: Russ: "Administrivia #35683: Microsoft Security Bulletin Notifications"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Apr 2002 10:34:47 +0100 From: Barry Dorrans <barryd@BANN.CO.UK> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Folks,
About a month ago we noticed Tiscali icons (Windows URL shortcuts)
appearing on work desktops. This was tracked back to Real One
(eventually).
We hunted around in the registry, discovering a real program,
interesting named evntsvc (which looks like an attempt to blend the
process into others windows processes). We removed the registry entry
and thought no more about it.
Last week, the dropped icon reappeared on our senior developer's
machine. Lo and behold, the startup registry entry is back.
Note that the icon dropping is done when your machine is idle. We've had
a icon dropped at 6:00am in the morning on a Sunday (not a normal time
for developers to be awake!), so Real is communicating back somewhere.
I wouldn't have brought this up, but the fact that it adds itself back
in is worrying. As for dropping icons, who knows what else it could
drop?
Details:
RealPlayer version: 6.0.10.505 RealOne 'Free' package
Registry Key Location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Key Name: TkBellExe
Value: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
Put there unconditionally when RealOne is installed, stays there, and is
recreated/updated when RealOne is started if you try to delete or change
it. There is no option to disable this behaviour, although there IS an
option within RealOne which supposedly makes it actively do stuff only
when RealOne is being executed.
This is under "Internet Settings" as "Only perform automatic services
while RealOne Player is in use". When you try to Enabling this option,
it begs you not to. When you enable it, it still DOES NOT remove the
above registry key, however the evntsvc.exe process is terminated when
RealOne is exited, and from that point on is started and closed in
tandem with RealOne.
Note that the 'Run' registry key is still there, so I assume it doesn't
*allow* itself to start when realone isn't running.
Regardless of the above setting, the TkBellExe registry key is still
recreated/updated every time RealOne is run.
So far the only apparent action of the evntsvc process was to create a
desktop shortcut link to Tiscali's website, early in the morning. The
initial memory footprint is 143kb - same as the exe size - in ram and
about 450kb paged.
There is a resolution: it seems that if you delete evntsvc.exe, then
RealOne does not complain about not being able to run it, and it no
longer creates the registry key. It's not exactly a documented technique
though.
~
Barry Dorrans - barryd@idunno.org / barryd@bann.co.uk
Alex Fedida - alex@squeaple.net
- Previous message: Russ: "Administrivia #35683: Microsoft Security Bulletin Notifications"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
