How a malicious help file can install a spyware keylogger

Filed Under: Featured, Malware, SophosLabs

Windows help fileDo you think that Windows help file is safe? Think again.

Malware authors can create boobytrapped .HLP files, designed to infect your computer.

Take for instance, the strange .HLP file which was sent to SophosLabs by some of our customers at the end of August.

The file, Amministrazione.hlp ("Amministrazione" is Italian for "Administration") was an example of how cybercriminals can use social engineering to trick unsuspecting users into infecting their computers.

Details of malicious HLP file

If opened, the help file displays an error message:

Error message from .HLP file

Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)

In the background, however, a file called Windows Security Center.exe is being dropped onto the computer, which in turn creates a file called RECYCLER.DLL.

Files dropped by malicious HLP file

Since SophosLabs first saw this malware attack we have been writing more generic detections which should help pick up new variants of the attack proactively:

File name Initial Detection Generic Detection
Amministrazione.hlp Troj/HlpDrp-B Mal/HlpDrop-A
Windows Security Center.exe Troj/DarkDrp-A Mal/DarkDrp-A
RECYCLER.DLL Troj/Agent-OVJ Mal/DarkShell-A

The DLL part of the malware attack is the keylogger. It's partof the DarkShell Trojan that has been tied to GhostNet.

The keylogger component is used to log keystrokes made by the user. These are stored in the following file:

\Documents and Settings\username\Local Settings\Application Data\UserData.dat

(where username is a specific username).

The malware attempts to send this data to (a domain with a long association with malware).

Stay safe everyone - and remember not to click on .HLP files too readily. They could be harbouring a malware attack.

, , , ,

You might like

8 Responses to How a malicious help file can install a spyware keylogger

  1. Dr Foo · 1123 days ago

    Thanks for the warning, but I've got a few unanswered questions:

    Where did this help file come from?

    Was it part of a purchased software package, and if so which one?

    Or was it downloaded with some free software, and if so which one?

    When the help file is 'run' (presumably by the windows help facility) why does the windows help facility load and install other files?

    Isn't this a M$ windows total mega-failure, and if so, why hasn't M$ fixed this long ago?

    Sure, it's nice to warn people about this, but without file origin knowledge, how are we supposed to protect ourselves?

    We can't just stop using help files, or is that what you're suggesting, because the file name is meaningless when it can be so easily renamed to something more benign?

    • Cassandra Morrison · 1123 days ago

      No it isn't a Microsoft Megafailure it is user idiocy. Do not download a hlp file from anyone OTHER than Microsott. Microsoft's hlp files, their "Fix IT" program...their antivirus and antispyware programs are all free of charge.

      Anyone who thinks downloading from a Third Party makes sense is too dense to own a computer.

    • Paul Baccas · 1122 days ago

      This HLP file arrived via email and I don't have access to the original.

      The bad guys used Social Engineering to open what was thought to be a clean file type. The file type is actually an executable and no vulnerability was triggered.

      Use HLP files from trusted sources and take note of errors.

    • @oshepherd · 1121 days ago

      Microsoft haven't fixed this because there is no bug here. Security hole, yes; bug, no.

      Winhelp as a technology dates back to Windows 3.1, and didn't receive any major changes when it became 32-bit with Windows 95. Its architecture allows help files to make arbitrary call outs to external DLLs.

      As you can imagine, this feature has massive security implications of the worst kind. Unfortunately, it's also critical to the functioning of pretty much every legitimate Winhelp file.

      Winhelp is not securable. For this reason, it was removed from Vista and later. From a security perspective, .HLP files should be considered equal to an .EXE; they can do the same things

  2. Cassandra Morrison · 1123 days ago

    Actually, avoiding this attack is quite simple. Only download a Windows .hlp file FROM Windows. They don't charge anything for them, you know.

  3. Scott Herbert · 1123 days ago

    Arn't .HLP files are html files packaged up? IIRC some Spanish group (a29?) once even wrote a POC virus that would infect and drop windows exe's (a bit pointless it's rare a user users help files let alone shares then). Interesting then that it's now being re-invented.

  4. Branden Spikes · 1122 days ago

    Users can't be trusted to make good decisions about what files are harmful and which ones aren't 100% of the time. We should leave these decisions to the IT geeks, and put the control over downloads in their hands.

  5. @Cassandra: Are you seriously asserting that only MS software and nothing else uses HLP files, and that downloading files from third parties *without any qualifiers* is idiocy? What do you call AV software from non-MS vendors then?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.