At 04:35 PM 9/30/2004 +0200, Andrew Aronoff wrote:
>The shield-DLL installs itself to the following registry value in
>NT4-type systems:
>HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
>
>Per MSKB 197571, a .DLL listed there is "loaded by each Windows-based
>application running within the current logon session." IOW, any
>ad-ware found here runs concurrently with _every_ program launched. It
>is truly astonishing that such a registry location exists.
I failed to mention this in my previous message, and it may be useful
to those attempting to write code to eradicate this beastie: The key
phrase in the above statement is "Windows-based application." It is
my understanding that if your application does not link with user32.dll,
AppInit_DLLs will be ignored. Since the RegXxx functions reside in
advapi32.dll, which does not link with user32.dll, it is in fact possible
to create a non-GUI executable that can fix or even clear AppInit_DLLs
but not be hijacked by CWS, even if they should happen to "improve" their
hijacking code to include any application trying to read the registry.
Other ways to access the registry without being hijacked by an entry in
AppInit_DLLs would be to connect remotely from an uninfected machine, or
to write a loadable kernel module that can clear that key using the
kernel-level registry support (This last would seem to be the least
fragile solution; it can fix the registry before WinLogon runs, and
WinLogon is normally the first user32-linked program to run on an NT
system.)
--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such
that just hitting reply is going to result in the message coming to the list,
not to the individual who sent the message. This was done to help reduce the
number of Out of Office messages posters received. So if you want to send a
reply just to the poster, you'll have to copy their email address out of the
message and place it in your TO: field.
--
