Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Registry - Nasty Games of Hide & Seek


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:06:55 PM

Posted 26 August 2005 - 04:06 PM

For the past two days, the Internet Storm Center (ISC) has shared a warning on very long registry key values that can be made hidden from REGEDIT by malware making removal more complicated than in the past. This may be in a new trend in virus developments

The Internet Storm Center (ISC) is offering a free Registry Search Tool. This neat new tool will locate the registry key values greater than 255 characters in length.

Windows Registry - Nasty Games of Hide & Seek
http://isc.sans.org/diary.php?date=2005-08-24
http://isc.sans.org/diary.php?date=2005-08-25

ISC Registry Search tool -- locates long key values
http://isc.sans.org/LVNSearch.exe

We have started to see some possible reports of malware which utilizes this concealment technique in the wild.  Products that have been reported to be able to query/report/delete/etc these keys:

AppSense Environment Manager
HiJackThis v1.99.1 (SCAN function)
HiJackThis v1.99.2 (in development)
Stillsecure SafeAccess
Sysinternals Autoruns (mixed reports)
Regedt32 (Win2k)



BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users