My Online Security

Came across a variant of Antivirus XP today that uses a particularly nasty way to ensure reinfection. It adds new subkeys to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. The subkeys are the names of common programs such as notepad.exe or zonealarm.exe. It then adds a debugger value for each file, like so:

  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\zonealarm.exe\Debugger = "svchost.exe"

This means that everytime you try to launch ZoneAlarm.exe, svchost.exe will be launced instead – and in this case that is a trojan executable.

Thinking of adding TrojanHunter detection for any Image File Execution Options sub-key that has a Debugger value… it’s not that common on user systems.