Delete files that don’t exist
Here’s a cute malware trick for today, utilising the seemingly infinitely flexible Windows registry to delete files that don’t yet exist.
The registry allows you to associate a debugger with any program you like. A genuine debugger is specialised software used to help develop new programs, so this is actually a useful feature in the right circumstances. But the debugger registry entries actually allow you to make any program you like run just before any other program you like - just pick the names.
We most often see this used by malware to get themselves run when Windows starts up, for example by registering their own file as a debugger for winlogon.exe or explorer.exe. They run just before, and then hand control over. Today I saw a new trick:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BabyRina.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BabyRina.exe
Debugger
cmd.exe /c del
What this means is that should a file called BabyRina.exe be run, Windows will execute “cmd.exe /c del BabyRina.exe”, which removes it before it has a chance to do anything. It doesn’t matter where it is, or whether it existed at the time the registry entry was made. Why BabyRina? I’m not sure, but it’s not hard to find out that she’s a notorious figure in the Islamic world, though you may not want to search for her at work. There was also a similar entry regarding AmyMastura.exe - apparently a more legitimate Malaysian actress (and singer). As a guess, I’d say these are the Malaysian-area equivalent of the recently all-too-common AngelinaJolie.exe spam emails.
The odd part is, that the malware that puts in this registry change has nothing to do with this file. It’s stopping this file - and a list of others - from running in the future. None of the names existed as files on my test system, and all of them looked rather suspicious. Perhaps rivalry between malware authors? That’s certainly something we see.
It’s a short jump from this to listing all common anti-virus executable names, or all firewall names. And then, even if they’re installed at a later date, when they run, Windows will tidily delete them for you.
The file in question had a host of dubious properties and was easily detect by Sophos. A few short checks showed me we’ve been seeing this trick for at least a month, but not in anything sophisticated so far.
Posted on January 14th, 2009 by Stephen EdwardsFiled under: Malware
Windows 7 security - A great leap forward or business as usual?
