Sophos Cloud Optix
Do you think that Windows help file is safe? Think again.
Malware authors can create boobytrapped .HLP files, designed to infect your computer.
Take for instance, the strange .HLP file which was sent to SophosLabs by some of our customers at the end of August.
The file, Amministrazione.hlp (“Amministrazione” is Italian for “Administration”) was an example of how cybercriminals can use social engineering to trick unsuspecting users into infecting their computers.
If opened, the help file displays an error message:
Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)
In the background, however, a file called Windows Security Center.exe is being dropped onto the computer, which in turn creates a file called RECYCLER.DLL.
Since SophosLabs first saw this malware attack we have been writing more generic detections which should help pick up new variants of the attack proactively:
| File name | Initial Detection | Generic Detection |
| Amministrazione.hlp | Troj/HlpDrp-B | Mal/HlpDrop-A |
| Windows Security Center.exe | Troj/DarkDrp-A | Mal/DarkDrp-A |
| RECYCLER.DLL | Troj/Agent-OVJ | Mal/DarkShell-A |
The DLL part of the malware attack is the keylogger. It’s partof the DarkShell Trojan that has been tied to GhostNet.
The keylogger component is used to log keystrokes made by the user. These are stored in the following file:
\Documents and Settings\username\Local Settings\Application Data\UserData.dat
(where username is a specific username).
The malware attempts to send this data to images.zyns.com (a domain with a long association with malware).
Stay safe everyone – and remember not to click on .HLP files too readily. They could be harbouring a malware attack.
Thanks for the warning, but I’ve got a few unanswered questions:
Where did this help file come from?
Was it part of a purchased software package, and if so which one?
Or was it downloaded with some free software, and if so which one?
When the help file is ‘run’ (presumably by the windows help facility) why does the windows help facility load and install other files?
Isn’t this a M$ windows total mega-failure, and if so, why hasn’t M$ fixed this long ago?
Sure, it’s nice to warn people about this, but without file origin knowledge, how are we supposed to protect ourselves?
We can’t just stop using help files, or is that what you’re suggesting, because the file name is meaningless when it can be so easily renamed to something more benign?
No it isn't a Microsoft Megafailure it is user idiocy. Do not download a hlp file from anyone OTHER than Microsott. Microsoft's hlp files, their "Fix IT" program…their antivirus and antispyware programs are all free of charge.
Anyone who thinks downloading from a Third Party makes sense is too dense to own a computer.
This HLP file arrived via email and I don't have access to the original.
The bad guys used Social Engineering to open what was thought to be a clean file type. The file type is actually an executable and no vulnerability was triggered.
Use HLP files from trusted sources and take note of errors.
Microsoft haven't fixed this because there is no bug here. Security hole, yes; bug, no.
Winhelp as a technology dates back to Windows 3.1, and didn't receive any major changes when it became 32-bit with Windows 95. Its architecture allows help files to make arbitrary call outs to external DLLs.
As you can imagine, this feature has massive security implications of the worst kind. Unfortunately, it's also critical to the functioning of pretty much every legitimate Winhelp file.
Winhelp is not securable. For this reason, it was removed from Vista and later. From a security perspective, .HLP files should be considered equal to an .EXE; they can do the same things
Actually, avoiding this attack is quite simple. Only download a Windows .hlp file FROM Windows. They don't charge anything for them, you know.
http://support.microsoft.com/
Arn't .HLP files are html files packaged up? IIRC some Spanish group (a29?) once even wrote a POC virus that would infect and drop windows exe's (a bit pointless it's rare a user users help files let alone shares then). Interesting then that it's now being re-invented.
Users can't be trusted to make good decisions about what files are harmful and which ones aren't 100% of the time. We should leave these decisions to the IT geeks, and put the control over downloads in their hands.
@Cassandra: Are you seriously asserting that only MS software and nothing else uses HLP files, and that downloading files from third parties *without any qualifiers* is idiocy? What do you call AV software from non-MS vendors then?