Anyone else observing change in "explorer.exe" settings in HKLM - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Anyone else observing change in "explorer.exe" settings in HKLM

  1. #11
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Same here.

    I know that there is malware that will edit that registry entry and may even set it to "null" or blank, which I suppose is what " " is?

    Here is an (old) example:

    http://www.ca.com/us/securityadvisor....aspx?id=58501

    I would have thought that the current entry would mean that the desktop wouldn't load? I just find it odd that so many machines have been affected without someone saying something sooner.

    Probably a thing of the past, but in the old days (NT 4) we used to use logon scripts to do that sort of thing.

    I would be interested to know what runs when you boot an affected machine? Are the users supposed to get the normal desktop?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  2. #12
    Senior Member SnugglesTheBear's Avatar
    Join Date
    Jun 2010
    Posts
    133
    Quote Originally Posted by nihil View Post
    Same here.

    I know that there is malware that will edit that registry entry and may even set it to "null" or blank, which I suppose is what " " is?
    Keep me posted too!
    Technically a null entry would be "" not " "
    Sorry felt like being a pedantic dick

    Quote Originally Posted by nihil View Post
    I would have thought that the current entry would mean that the desktop wouldn't load? I just find it odd that so many machines have been affected without someone saying something sooner.
    meh, not that surprising really. A lot of malware is meant to avoid detection cleverly hide itself so a standard user does not notice it at all =P AV can only do so much and really is a minor hassle for attackers that aren't script kiddies really what with all the advanced encoding libraries out there. It makes detection via definitions a very difficult task and one that will always be a step behind at best >.<

    Quote Originally Posted by nihil View Post
    I would be interested to know what runs when you boot an affected machine? Are the users supposed to get the normal desktop?
    You should get the seemingly normal desktop unless the attacker doesn't want that >.< It seems weird though that the only weird registry value that stands out is the shell one. I would figure that if an attacker was trying to be very stealthy they would just patch explorer.exe or whatever file they were most concerned with and not change the registry in such a blatant way. It kind of makes me lean a little on the side of windows being windows, but it is definitely something I want more info about.............

  3. #13
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    It seems weird though that the only weird registry value that stands out is the shell one. I would figure that if an attacker was trying to be very stealthy they would just patch explorer.exe or whatever file they were most concerned with and not change the registry in such a blatant way. It kind of makes me lean a little on the side of windows being windows, but it is definitely something I want more info about.............
    I agree, I can't quite figure out what it is supposed to achieve. Makes me wonder if there might not be another explorer.exe on the systems? Is the original still there and where it should be? AFAIK the explorer value is there by default but if it were null or blank then explorer.exe is the default shell anyway???

    As for "windows being windows" that might explain the odd occurrence but not 4,000 instances or even 400?

    It looks pretty deliberate to me, but who did it, how and why?
    Last edited by nihil; August 4th, 2010 at 08:16 PM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #14
    Senior Member SnugglesTheBear's Avatar
    Join Date
    Jun 2010
    Posts
    133
    As for "windows being windows" that might explain the odd occurrence but not 4,000 instances or even 400?
    sure it would. Windows on each box, similar or identical configuration for each box, i would suspect we would see very close behavior. <@):P

    But I was wondering if you found anything Byte?

  5. #15
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Nothing ... Just 1 DLL in all images but that was found as an adware (not-a-virus-advertisement-program by Kaspersky)..

    The problem was network degradation. Since i look after anti-malware for the company, i was asked to investigate malware issue (since network assurance manager said his side was clear). However as it turns out we gave up on considerable amount of bandwidth (purchased from sister company) and the network dude had given for reduction (he calls is degradation) in bandwidth so someone goofed up in the process leading to the dial up performance.

    (rant here)


    I did find 4 new variants of w32.SillyFDC (or DFC one of them) and w32.pilleuz but i dont think they are connected to the registry issue. Since i analyzed all the malware samples before submission and they did not modify the reg key i'm talking about.
    Last edited by ByTeWrangler; August 6th, 2010 at 07:20 PM.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #16
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    sure it would. Windows on each box, similar or identical configuration for each box, i would suspect we would see very close behavior. <@):P
    I see what you are trying to say, but that would only work if all were mirrored at least in some part (the basics)?

    My next move would be to take the corporate mirror image and load it onto an offnet virgin system...............then take a look?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #17
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Quote Originally Posted by ByTeWrangler View Post
    Nothing ... Just 1 DLL in all images but that was found as an adware (not-a-virus-advertisement-program by Kaspersky)..

    The problem was network degradation. Since i look after anti-malware for the company, i was asked to investigate malware issue (since network assurance manager said his side was clear). However as it turns out we gave up on considerable amount of bandwidth (purchased from sister company) and the network dude had given for reduction (he calls is degradation) in bandwidth so someone goofed up in the process leading to the dial up performance.

    (rant here)


    I did find 4 new variants of w32.SillyFDC (or DFC one of them) and w32.pilleuz but i dont think they are connected to the registry issue. Since i analyzed all the malware samples before submission and they did not modify the reg key i'm talking about.
    did u test them in a VM? Some malware detects a Vm and doesnt reproduce as it would undetected.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  8. #18
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    I never booted the machine into VM. I just mounted the VM disk on my physical machine and scanned it.. Like i said found nothing!
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Similar Threads

  1. Securing 2000 Pro
    By akachuckie in forum The Security Tutorials Forum
    Replies: 8
    Last Post: February 24th, 2005, 12:47 AM
  2. Another Hijack this log...
    By The Duck in forum Spyware / Adware
    Replies: 14
    Last Post: February 23rd, 2005, 11:27 PM
  3. Hijackthis Log
    By Malen Nasharan in forum AntiVirus Discussions
    Replies: 2
    Last Post: October 27th, 2004, 10:26 PM
  4. Still trying to fix smartsearch
    By helpme2 in forum Spyware / Adware
    Replies: 5
    Last Post: June 25th, 2004, 05:13 AM
  5. Yet More Nerd Humor!
    By PhirePhreak in forum AntiOnline's General Chit Chat
    Replies: 11
    Last Post: April 16th, 2002, 04:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides