Windows Explorer Redirection DLLS is a new dangerous Windows startup hole
||History of the problem:
Recently Greatis security team tested the W32/Almanahe.c virus.
The detailed description of the virus described can be found here:
The virus uses the different ways of auto starting with Windows boot:
But we found that the virus uses a new Windows startup hole, not detected by RegRun/UnHackMe.
- Autorun.inf on the hard drive;
- File infection.
Virus creates the file "linkinfo.dll" and puts the file into the Windows folder.
The normal "linkinfo.dll" was made by Microsoft is stored in the Windows\System32 folder.
Why the Windows shell "explorer.exe" loads the "linkinfo.dll" from non-standard place?
We researched the file and registry changes made by the virus and found nothing.
After that we put the virus file "linkinfo.dll" into the Windows folder
on a clean computer and found that explorer.exe loads infected version
of the "linkinfo.dll".
We tried to copy "linkinfo.dll" from the System32 folder to the Windows folder and we see that the Windows Explorer.exe uses "linkinfo.dll" from Windows folder again.
||Why it is dangerous?
The computer may be infected by simply copying virus file to the Window folder without making changes in the system settings (registry or configuration files) or changing the Windows system files.
A Trojan software need to get the write right in the Windows folder.
But usually it's not a problem. Power users and administrators have
full rights to the Windows folder.
Windows File Protection does not help you.
Windows 2000, XP(SP1,SP2,SP3), 2003, Vista(SP1), 2008 Server.
Vista UAC prevents a user from creating files in the Windows folder but it may be easily skipped.
Microsoft MSDN information:
"The standard DLL search order:
- The directory from which the application loaded.
- The system directory. Use the GetSystemDirectory function to get the path of this directory.
- The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
- The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
- The current directory.
- The directories that are listed in the PATH environment variable.
Note that this does not include the per-application path specified by
the App Paths registry key. The App Paths key is not used when
computing the DLL search path."
We can see that the first place where "Explorer.exe" searches the DLLs is the directory from which the application loaded.
But the explorer.exe is stored in the Windows folder.
It is a source of the problem!
Explorer.exe searches the DLL in its current folder: Windows folder.
Is not a local problem with linkinfo.dll only!
We investigated the DLLs loaded by explorer.exe at the Windows boot and found that 20 DLLs under Windows XP and 46 DLLs under Windows Vista may be redirected.
We do not publish the list of the affected DLLs but anyone can easy get it using own investigation.
RegRun 5.8 and UnHackMe 4.8 automatically detects redirected DLLs and allows to remove it from your computer during executing of "Scan for Viruses".
The perfect way is a fixing security hole in the explorer.exe by the developers of the Windows.
We offer a workaround.
The Windows registry key
contains the list of the DLLs "known" to the system.
The DllDirectory value contains the path to the folder where the DLLs are stored. It's a Windows\System32 folder by default.
If we add the redirected DLL names to the KnownDLLs registry key, the Windows "explorer.exe" will load DLLs from the right place.
The Raymond Chen from Microsoft wrote an article "The Known DLLs Balancing Act". He warns against changing the KnownDLLs registry key, because it may change the system performance.
We tested the performance in Windows 2000/XP/Vista after adding
investigated DLL names to the KnownDLLs and we found no problems with
system boot and performance.
But you shoould know that if you use that protection method at your own risk.
||How to setup protection?
RegRun automatically make backup of current KnownDLLs registry key to the:
- Open RegRun Start Control or Reanimator.
- Open "Reanimator" in the main menu and choose the "Protect" item.
- Click on the Protect button.
To restore from backup you need open "Protect" window as described above and click on the "Unprotect" button.
Otherwise, you may use your registry editor for restore backup key.
Download RegRun Reanimator (free of charge, no ads):
Suggest you to use RegRun Platinum Edition to be sure that you are clean!