Re: CWS = Crummy Windows Security

From: Ron Parker (ron_at_PARKRRRR.COM)
Date: 10/01/04

  • Next message: Mark Tassin: "Re: CWS = Crummy Windows Security"
    Date:         Fri, 1 Oct 2004 10:30:40 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    At 04:35 PM 9/30/2004 +0200, Andrew Aronoff wrote:
    >The shield-DLL installs itself to the following registry value in
    >NT4-type systems:
    >HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
    >
    >Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based
    >application running within the current logon session." IOW, any
    >ad-ware found here runs concurrently with _every_ program launched. It
    >is truly astonishing that such a registry location exists.

    I failed to mention this in my previous message, and it may be useful
    to those attempting to write code to eradicate this beastie: The key
    phrase in the above statement is "Windows-based application." It is
    my understanding that if your application does not link with user32.dll,
    AppInit_DLLs will be ignored. Since the RegXxx functions reside in
    advapi32.dll, which does not link with user32.dll, it is in fact possible
    to create a non-GUI executable that can fix or even clear AppInit_DLLs
    but not be hijacked by CWS, even if they should happen to "improve" their
    hijacking code to include any application trying to read the registry.

    Other ways to access the registry without being hijacked by an entry in
    AppInit_DLLs would be to connect remotely from an uninfected machine, or
    to write a loadable kernel module that can clear that key using the
    kernel-level registry support (This last would seem to be the least
    fragile solution; it can fix the registry before WinLogon runs, and
    WinLogon is normally the first user32-linked program to run on an NT
    system.)

    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    --
    

  • Next message: Mark Tassin: "Re: CWS = Crummy Windows Security"

    Relevant Pages

    • Re: Trojan Horse = BackDoor.Agent.BA + Startpage
      ... This advice covers three types of home page locking - hijacking (by web ... If you are using Spybot S&D, check your 'immunize' settings which may be ... There is a clever little shareware programme that can help stop your home ... The locking is done using registry settings as per the ...
      (microsoft.public.security.virus)
    • Re: CrushEm2.0 & PuzzlEm1.0
      ... This advice covers three types of home page locking - hijacking (by web ... hijacking and locking (by ISPs when you install their ... The locking is done using registry settings as per the ...
      (microsoft.public.security)
    • Re: about:blank and hijacked homepage
      ... > The past week I've been trying to restore my computer to the orginal ... search engine functions, ShopNav stills loads by itself even though i've ... > For the homepage hijacking, I have also went into the registry to manually ... registry values get reset back to about: ...
      (microsoft.public.security)
    • Yes, Another Hijacked browser- VERY nasty
      ... >stuff, still have browser hijacking. ... >registry problems with the bad registry for the IE ... >Installed spyware blaster- didn't fix it. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Yes, Another Hijacked browser- VERY nasty
      ... stuff, still have browser hijacking. ... registry problems with the bad registry for the IE search ... Installed spyware blaster- didn't fix it. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)