Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

Quick, discrete and reliable

Read: 11537 Comments: 9 Rating: 15

Thursday, December 5, 2019

Let's talk about a little trick. You may be familiar with an operating system dialogue that users use to choose a program to open certain file types with. File associations are a very useful feature: a default application can be changed at any moment and even under specific conditions. But hackers can do that, too!

Among other things, the Windows registry contains the following entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. This key can be used to attach a debugger to a specific application. This way the debugger will start whenever the program is launched. For example, if we create the registry entry HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\хx.exe with the string value "Debugger"="C:\zz.exe", zz.exe will start whenever we try to open xx.exe, which in turn, will start xx.exe.

Would you like the calculator to start in place of the Task Manager?

Locate the entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe and add the item (REG_SZ) Debugger with the string value "C:\Windows\System32\calc.exe."

Malicious programs operate in a similar way. A quick search brings back this example:

To start automatically and infect other files
The following registry entries are modified:

  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Defender.exe] 'debugger' = 'fixmapi.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgmnt.exe] 'debugger' = 'fixmapi.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hostdl.exe] 'debugger' = 'fixmapi.exe'
  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgmnt] 'debugger' = 'fixmapi.exe'


And here is another one:

Then we reboot the system and press SHIFT five times on the Windows login screen. As a result, a command prompt (the one we have replaced sethc.exe with) appears. And the beauty of it lies in the fact that the command prompt is started with SYSTEM permissions; and thus we gain full access to the computer and can launch whatever we please, even the Explorer shell.



#Windows #anti-virus #security

The Anti-virus Times recommends

Naturally, a malicious program can pull off a trick like this only if the anti-virus is disabled. As you can see, it takes very little time to make changes to a system. Malware can manage it even if you disable your anti-virus for just one moment. That's why an anti-virus must always be up and running. Even at the system startup when we are so eager to speed things up as much as possible!


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.