Windows Explored

I was recently given a netbook to look at after it was hit by some malware. The malware exe had already been removed but it left a few common system utilities like the Task Manager and the Windows Registry Editor in a dysfunctional state. Furthermore, popular anti-malware utilities and anti-virus utilities were also not able to run. For example, trying to run taskmgr.exe or regedit produced the following error: “Windows cannot find ‘C:\Windows\system32\taskmgr.exe’…”

Navigating to the executable path showed that taskmgr and regedit existed. But, at the same time, 3rd party utilities from various anti-malware applications did not produce any error message at all. Investigating with Process Explorer showed that, for example, the Anti-Malware Bytes executable was launching but immediately shutdown. Turning to Autoruns, I was able to see why the Task manager and the Registry Editor were failing (recreation):

The malware that had made itself onto the system earlier had created registry entries in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options for both regedit and taskmgr system tools. This key is primarily used to debug applications. To do this, you create a key for the executable you want to debug and create a string value equal to the exe for the debugger. Here is a good MSDN blog that covers this key in more detail: Inside ‘Image File Execution Options’ debugging. Obviously the idea was to pipe any commands to open either taskmgr or regedit through the malware executable¹, likely to convince the user they were infected and to purchase fake anti-virus; this type of malware is often referred to as scareware. After the malware keys were removed, taskmgr and regedit operated normally.

As for the other 3rd party anti-malware tools that failed to execute, the same was being done, although a little differently. The malware author had gone through the pains of creating a very extensive list of anti-malware/anti-virus utilities and their executable image names. It created a registry key for each exe cataloged (Anti-malware Bytes MBAM.exe for example) in Image File Execution Options and used the Debugger string to point to svchost.exe, which is not really a debugger and thus does nothing along with no error:

The obvious miss of this malware is that it did not create a key for Autoruns, making it possible to run and easily detect how this malware worked against the system. Getting back access to taskmgr and, more importantly, regedit was then a matter of unchecking both entries in Autoruns and then launching regedit, allowing for a manual system cleanup.

¹ Another method used to pipe valid executable images through a malicious file would be to create a registry key named .exe, for example, in UsrClass.dat for the affected user (HKCU\Software\Classes) and a similar string pointing to the malware exe (Internet Security 2011-2012)