Purpose:
The feature allows you to protect against malware using "redirection Windows Explorer DLLs" startup hole.
History of the problem:
Recently our security team tested the W32/Almanahe.c virus.
The detailed description of the virus described can be found here:
http://www.greatis.com/appdata/d/n/nvmini.sys.htm
The virus uses the different ways of auto starting with Windows boot:
- Driver;
- Autorun.inf on the hard drive;
- File infection.
But we found that the virus uses a new hole, not detected by RegRun.
Virus creates "linkinfo.dll" and puts that DLL into the Windows folder.
The normal "linkinfo.dll" made by Microsoft is stored in the Windows\System32 folder.
Why the Windows shell "explorer.exe" loads the "linkinfo.dll" from non-standard place?
Good question.
We researched the file and registry changes made by the virus and found nothing.
After that we put the virus file "linkinfo.dll" into the Windows folder on a clean computer and found that explorer.exe loads infected version of the "linkinfo.dll".
We tried to copy "linkinfo.dll" from the System32 folder to the Windows folder and we see that the Windows uses "linkinfo.dll" from Windows folder again.
What is dangerous?
The computer may be infected by simply copying virus file to the Window folder without making changes the system settings (registry or configuration files) or changes the system files.
Windows File Protection will not help you.
Affected Systems
Windows 2000, XP(SP1,SP2,SP3), 2003, Vista(SP1), 2008 Server.
Technical Details
The standard DLL search order:
1. The directory from which the application loaded.
2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
We can see that the first place where "Explorer.exe" searches the DLLs is the directory from which the application loaded.
But the explorer.exe is stored in the Windows folder.
There is the source of the problem!
Explorer.exe searches the DLL in its current folder: Windows folder.
Is not a local problem with linkinfo.dll only!
We investigated the DLLs loaded by explorer.exe at the Windows boot and found that 20 DLLs under Windows XP and 46 DLLs under Windows Vista may be redirected.
Removal
RegRun automatically detects redirected DLLs and allows to remove it from your computer during executing of "Scan for Viruses".
Protection
The perfect way is a fixing security hole in the explorer.exe by the developers of the Windows.
We offer a workaround.
The Windows registry key
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
contains the list of the DLLs "known" to the system.
The DllDirectory value contains the path to the folder where the DLLs are stored.
It's a Windows\System32 folder.
If we add the redirected DLL names to the KnownDLLs registry key, the Windows "explorer.exe" will load DLLs from the right place.
The Raymond Chen from Microsoft wrote an article "The Known DLLs Balancing Act". He warns against changing the KnownDLLs registry key, because it may change the system performance.
We tested the performance in Windows 2000/XP/Vista after changing the KnownDLLs and we found no problems.
How to setup protection?
Open RegRun Start Control.
Open "Reanimator" in the main menu and choose the "Protect" item.
Click on the Protect button.
RegRun automatically backups KnownDLLs registry key to the:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs-
To restore from backup you need open "Protect" window as described above and click on the "Unprotect" button.