Jump to content

Win98 vulnerability?

Multibooter

By Multibooter
in Windows 9x/ME

 Share

Recommended Posts

dencorso

dencorso

Posted
Posted (edited)
If nothing happens then logic would dictate that when MSIE version 4/5 is installed some core patching must take place (perhaps IO.SYS) that enables these new and wonderful startup locations to be used by Windows. Hmmm. As Artie Johnson would say: Verrrry Interestink ... .
There is no need for direct core patching, because some core files are actually substituted on installation, shlwapi.dll and shfolder.dll being just two examples of it. To know (a lot) more about the IE files and integration, please visit the venerable Geoff Chappell's new site: link ;) Edited by dencorso
Link to comment
Share on other sites

Multibooter

Multibooter

Posted
  • Author
Posted (edited)
I've been using Starter v5.6.2.8 for quite a while... with no problems to report...

http://codestuff.tripod.com/Starter.zip

Thanks for the link.

Yes, 5.6.2.8 should be the last available version. Apparently, development stalled (or stopped).

Thanks for the big screen shot. In order to display in Codestuff Starter stobject.dll of Tihiy's IPTest, one has to select -> Options -> Miscellaneous -> Show Expert-only items.

I have been using up to now Startup Organizer by Metaproducts http://www.metaproducts.com/mp/Startup_Organizer.htm which handily displays/warns when a program has been added or deleted from startup, with a rollback option. But Startup Organizer doesn't display Tihiy's stobject.dll, nor a msg after its installation. Startup Organizer, however, does show correctly the path to one startup item, hpjsira.exe (HP Install Network Printer Wizard v3.04, for IP based printing), while Codestuff Starter just displays File not found (Autoruns v9.13 displays the startup info ok for hpjsira.exe).

I don't have nusb 3.3 currently installed, does Codestuff Starter also display nusb?

Edited by Multibooter
Link to comment
Share on other sites
Drugwash

Drugwash

Posted
Posted (edited)

No NUSB in the list, but if you wanna see all the loaded modules, select EXPLORER.EXE (and others like MPR.EXE, MSGSRV.EXE, etc) in the top list and have a look at the modules list at the bottom (in the Processes window).

A detailed Dr.Watson report would also show the currently loaded modules and running processes.

Edited by Drugwash
Link to comment
Share on other sites
eidenk

eidenk

Posted
Posted

Just wanted to mention that I am the MSFN member who passed those 9x rootkits to Herbalist as mentioned in the thread linked by him above and I point out that they are visible from at least two win32 applications which are System Internals OpenList and Process Explorer (In explorer.exe handles pane for the latter) if I recall correctly.

As already mentioned in an old thread there are at least two very easy to use applications for generating rootkits for 9x systems, AFX Rootkit 2003 (Ring3 rootkits that should be invisible only from win32 apps running in the main virtual machine)) and 9xRx (Ring0 rootkits that I think should be invisible from any virtual machines, Win32, Win16 or DOS).

One thing that I consider a big vulnerability and which I have discovered is the little known Folder Shortcut (otherwise known as Shell Link I think) feature that permits to completely hide (executable) files from explorer and the find utility. It cannot be exploited by browsing websites but could infect, for example, a downloaded zipped archive containing html files and subfolders. A casual inspection with the find utilty looking for all files would show nothing wrong but opening the html with Internet Explorer would silently execute the hidden executable thanks to a little bit of javascript with the onload tag and the fact that the browsers views this html in the trusted zone (the local machine). I think I made several very simple proofs of concepts of it. I'll dig them up and upoload them if someone's interested.

Link to comment
Share on other sites
eidenk

eidenk

Posted
Posted

I have read the discusion about webcheck.dll and wanted to say that this file can safely be removed entirely from the system as it is used only for fetching items online in order to update the "Active Desktop" which no one uses I think.

I don't have a webcheck.dll in my system for years now and amongst the thousands and thousands of applications I have downloaded not a single one ever complained it was missing this file.

Link to comment
Share on other sites
eidenk

eidenk

Posted
Posted

I also wanted to say that my Opera browser has been infected twice that I am aware of. In both cases the opera.exe had been patched. I am clueless as to what the vulnerabilty leading to those patching is.

Link to comment
Share on other sites
eidenk

eidenk

Posted
Posted

I also think the MBR is a place to watch as an "autostart" location. Insted of directly jumping to the boot partition it could well jump, if infected, to malware code written on the 62 sectors before the first partition starts on sector 63.

Perhaps unlikely as there could be boot manager code there.

Link to comment
Share on other sites
Multibooter

Multibooter

Posted
  • Author
Posted
What could be the last/best version which works under plain-vanilla Win98SE?

Autoruns 9.13

Under Win98SE when right-clicking on an Autorun entry in Autoruns v9.13, one can select Process Explorer. What is the last/best version of Process Explorer for Win98SE and its download location? Galahs page http://www.msfn.org/board/index.php?showtopic=105936 lists v11.03, but his link goes to MS v11.33, which doesn't list Win98.
Link to comment
Share on other sites
Queue

Queue

Posted
Posted

Version 11.11 was the last version of ProcExp that worked, without modification, on Win9x. ExeVersion is capable of making all following versions work on Win9x. I don't have a download location for 11.11 since redistribution is against its EULA. Newer versions have at last some minor functionality additions that do work on Win9x, so a newer patched executable is my recommendation.

Queue

Link to comment
Share on other sites
Multibooter

Multibooter

Posted
  • Author
Posted (edited)
Version 11.11 was the last version of ProcExp that worked, without modification, on Win9x.
Thanks Queue. Autoruns v9.13 links fine to Process Explorer v11.11 http://www.filehippo.com/download_process_explorer/3854/ under Win98SE. http://www.filehippo.com/ looks like an authorized site with lots of freeware.

procexp.chm of Process Explorer v11.11 calls home to 64.4.52.169, port 80 - TCP

Edited by Multibooter
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...