Re: CWS = Crummy Windows Security

From: Ron Parker (ron_at_PARKRRRR.COM)
Date: 10/01/04

  • Next message: Mark Tassin: "Re: CWS = Crummy Windows Security"
    Date:         Fri, 1 Oct 2004 10:30:40 -0500

    At 04:35 PM 9/30/2004 +0200, Andrew Aronoff wrote:
    >The shield-DLL installs itself to the following registry value in
    >NT4-type systems:
    >HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
    >Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based
    >application running within the current logon session." IOW, any
    >ad-ware found here runs concurrently with _every_ program launched. It
    >is truly astonishing that such a registry location exists.

    I failed to mention this in my previous message, and it may be useful
    to those attempting to write code to eradicate this beastie: The key
    phrase in the above statement is "Windows-based application." It is
    my understanding that if your application does not link with user32.dll,
    AppInit_DLLs will be ignored. Since the RegXxx functions reside in
    advapi32.dll, which does not link with user32.dll, it is in fact possible
    to create a non-GUI executable that can fix or even clear AppInit_DLLs
    but not be hijacked by CWS, even if they should happen to "improve" their
    hijacking code to include any application trying to read the registry.

    Other ways to access the registry without being hijacked by an entry in
    AppInit_DLLs would be to connect remotely from an uninfected machine, or
    to write a loadable kernel module that can clear that key using the
    kernel-level registry support (This last would seem to be the least
    fragile solution; it can fix the registry before WinLogon runs, and
    WinLogon is normally the first user32-linked program to run on an NT

    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: Mark Tassin: "Re: CWS = Crummy Windows Security"