Image Hijack used in recent virus attack.

Recently, there were a couple of cases where virus infected computer
refuse to run task manager, registry edit and other common Windows
built-in application. After a full-scan of virus, trojan horse and
spyware, all detected problem had been removed.

However, those built-in application still refuse to run. I dive into
the system folder, Taskmgr.exe is there under c:\windows\system32\. I
double-click it and got no response. So, I try to copy it to the
desktop and run it, still no good. Rename the program, it runs happily.
So, what was the problem?

It’s an Image Hijack. If you try to run Autoruns from Sysinternals, you
will see something like the following picture. I had replaced my task
manager with Sysinternals Process Explorer. Just a couple of registry
tweak and you can accomplish the same. So, what really happen is that
the virus added a registry entry for those application to point to
itself. However, in most cases the virus was cleared but the registry
remained.

More info:
http://geekswithblogs.net/ssimakov/archive/2005/03/22/26930.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s