Jump to content

Win98 vulnerability?


Multibooter

Recommended Posts

Tihiy has written a very interesting Network activity indicator, described in http://www.msfn.org/board/index.php?showto...mp;#entry854139 and downloadable from http://tihiy.ahanix.org/IpTest.zip

I like it, its system tray icon looks really great, it can shut off the connection to the internet. But what is really interesting is that it doesn't show up in Task Manager (alt-ctl-del), or in the process viewer PrcView v3.7.3.1, or in Startup Organizer by Metaproducts. If there weren't an icon in the system tray, I wouldn't know it was running.

Is there some software which readily indicates under Win98 that programs like Tihiy's were added/installed/are running? (Well, STOBJECT.DLL is indicated in MS System Information -> Software Environment -> 32-bit Modules Loaded, but who's looking there regularly?)

Edited by Multibooter
Link to comment
Share on other sites


Autoruns does.
Thanks Tihiy. I downloaded v9.41 from http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx but under plain-vanilla Win98SE its program window doesn't appear on the screen, even if the Task manager shows Autoruns. Instead, it tries to call home to Microsoft and in the process it attempts to hang my old Tiny firewall.

What could be the last/best version which works under plain-vanilla Win98SE?

Edited by Multibooter
Link to comment
Share on other sites

Autoruns 9.13
Thanks. v9.13 with the digital signature of 25-Feb-2008, runs fine under Win98SE. I also tried v9.35, but this version didn't run anymore. Are there any versions inbetween which still run under Win98SE, or is v9.13 really the last one?

Addendum: just tried v9.21, it doesn't run either under Win98SE

Edited by Multibooter
Link to comment
Share on other sites

Autoruns does.
Thanks Tihiy. I downloaded v9.41 from http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx but under plain-vanilla Win98SE its program window doesn't appear on the screen, even if the Task manager shows Autoruns. Instead, it tries to call home to Microsoft and in the process it attempts to hang my old Tiny firewall.

What could be the last/best version which works under plain-vanilla Win98SE?

Archiving this type of information in the following thread:

System Internals Utilities on Win9x

As whatever420 stated: v9.13 works. Beware of testing more recent versions on Win9x. Besides not actually closing when you exit, they can cause some ugly side effects to USB peripherals like keyboards. I would not attempt this with flashdrives or USB harddrives attached!

Link to comment
Share on other sites

As whatever420 stated: v9.13 works. Beware of testing more recent versions on Win9x. Besides not actually closing when you exit, they can cause some ugly side effects to USB peripherals like keyboards. I would not attempt this with flashdrives or USB harddrives attached!
Thanks CharlotteTheHarlot. I had noticed that the higher versions stayed in Task Manager, but wasn't aware of possible dangers to my USB HDDs, which I luckily hadn't attached.

Very often the last version of a software for Win98 is full of new and unresolved/hard-to-resolve issues (e.g. NVidia GeForce driver). I have also come across Autoruns v9.00, digitally signed 14-Dec-2007 (v9.13 is digitally signed 25-Feb-2008). Is there a v9.12 or something between v9.00 and v9.13? Maybe the second-to-the-last version would be safer, especially given this USB warning.

Edited by Multibooter
Link to comment
Share on other sites

Is there a v9.12 or something between v9.00 and v9.13? Maybe the second-to-the-last version would be safer, especially given this USB warning.
The link provided by Whatever420 is to FileHippo software archive. There you'll also find v. 9.12, together with various other previous (and latter, but those are irrelevant) versions of Autoruns.
Link to comment
Share on other sites

The link provided by Whatever420 is to FileHippo software archive. There you'll also find v. 9.12, together with various other previous (and latter, but those are irrelevant) versions of Autoruns.
Thanks dencorso, somehow I hadn't seen the link
Link to comment
Share on other sites

Very often the last version of a software for Win98 is full of new and unresolved/hard-to-resolve issues (e.g. NVidia GeForce driver). I have also come across Autoruns v9.00, digitally signed 14-Dec-2007 (v9.13 is digitally signed 25-Feb-2008). Is there a v9.12 or something between v9.00 and v9.13? Maybe the second-to-the-last version would be safer, especially given this USB warning.

Just inventoried all the versions I had and dropped them into this post.

Link to comment
Share on other sites

stobject.dll does show up in Process Explorer in the lower pane when it's set to display DLLs. The regsitry key used to load it, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad has been used by some malicious code.

From Bleeping computers:

ShellServiceObjectDelayLoad - This Registry contains values in a similar way as the Run key does. The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.

The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.

Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

The objects loaded by this key are DLLs loaded by explorer and will not show up on a process monitor as a separate process. The objects in this key are loaded only when explorer starts or restarts. Not all real time autostart monitors watch this key.

If you're concerned about the potential malicious use of this key, a DOS batch file called from autoexec.bat can be your best ally. The batch file can either cover the entire registry or just specific keys with command line entries for regedit.

Rick

Link to comment
Share on other sites

stobject.dll does show up in Process Explorer in the lower pane when it's set to display DLLs. The regsitry key used to load it, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad has been used by some malicious code.

From Bleeping computers:

ShellServiceObjectDelayLoad - This Registry contains values in a similar way as the Run key does. The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.

The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.

Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

The objects loaded by this key are DLLs loaded by explorer and will not show up on a process monitor as a separate process. The objects in this key are loaded only when explorer starts or restarts. Not all real time autostart monitors watch this key.

If you're concerned about the potential malicious use of this key, a DOS batch file called from autoexec.bat can be your best ally. The batch file can either cover the entire registry or just specific keys with command line entries for regedit.

Indeed. The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell. Thankfully we have Autoruns to illustrate them.

This particular entry point has always been used by Microsoft to load its controversial WebCheck.dll among other things (there was lots of discussion back in the day about whether it was necessary at all). You can see it is present in that screenshot above from Tihiy. This hook persists in WinXP as well.

I decided long ago that all these autoloading registry locations are way too much exposure and I flushed them all to empty on Win9x with a REG file. But your mileage may vary because if I remember correctly, there were some other related details that required some attention also, namely the keys ending with WebCheck], SyncMgr], Scheduled_Updates], and possibly some more (perhaps Protected Storage and the Event System).

Obviously the plugging of this autoloading hook is a double-edged sword however, since it would also preclude using this excellent network systray utility developed by Tihiy.

Link to comment
Share on other sites

I removed the WebCheck entries on all my 9X and 2K systems with no resulting problems. On my 98FE box, Tihiy's network monitor is the only entry in that key. On this 98SE, that key was removed with Internet Explorer. When I first started building the startup batch file, I was covering the different autostart locations individually. After a while, I decided to replace the entire registry instead of individual keys. This way, the same batch file worked on all the single user 98 systems and addressed several other problems as well. On my FE box, the batch file takes a bit over 1 minute to complete at startup, partly due to the number of files and folders it overwrites and partly because of the 366mhz processor. Even so, I consider it a small price to pay for malware protection and for starting every session with a clean, optimized registry. The only time it causes a problem is when I install something and forget to make new backups before rebooting.

Link to comment
Share on other sites

The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell. Thankfully we have Autoruns to illustrate them. This particular entry point has always been used by Microsoft to load its controversial WebCheck.dll
Webcheck.dll was also displayed by Autoruns on my laptop, which runs Internet Explorer v6.0.2600, downloaded on 20-Sep-2001 from MS and re-installed after a clean install of Win98SE on 10-Oct-2003. Webcheck.dll on my laptop has 258.048 bytes, is displayed as v6.00.2600.0000 - but with a file modification date of 10-Oct-2003, 2 years after the original download. Iexplore.exe is v6.00.2600.0000 but has the modification date 17-Aug-2001 and ie6setup.exe is digitally signed 20-Aug-2001 [i.e. before Sep.11, 2001] IE probably called home during the installation on 10-Oct-2003., but why would webcheck.dll have a much later modification date than Iexplore.exe?

BTW, are the excellent postings about webcheck.dll (of 2005) http://www.msfn.org/board/index.php?showtopic=46066&st=0 still Ok with todays new hardware?

Edited by Multibooter
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...