In the recent article, Delete files that don’t exist, Stephen described a malware using the registry to delete a certain file upon launching. The same registry key is used in another way now. By adding the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<command to hijack>
with value name of “Debugger” and Value containing the path to a handler, malware can disable applications or launch itself whenever the user attempts to launch the hijacked application. Below is a demonstration.
I have added a new registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
and added the value Debugger to point to Notepad.exe
Upon modification, each time i run cmd.exe, notepad.exe will open and load the binary cmd.exe.
Yet another way to exploit the poor registry.