If your Google or Yahoo search result links open strange web sites, check for wmfhotfix.dll – it’s malware.

Yesterday I was working on a friend’s computer when clicking a link in Yahoo’s search results produced popup warnings, strange alert boxes and opened obviously rogue web sites in Internet Explorer 7.

I blamed Yahoo, but the same problem affected Google.

I thought the web site for the link was having a cross-site scripting issue or had been hacked, but adding it to "Restricted Sites" and checking with Fiddler2 cleared it from my allegations.

I checked the extensions running in Internet Explorer and verified the manufacturers’ signatures (Google Toolbar is not signed – what are they thinking?)

Again, nothing suspicious there.

OK, we need to call in the troops.

Rootkit Revealer, Autoruns, Process Explorer, all from SysInternals, ahem, Microsoft Technet.

Rootkit Revealer check: Negative.

Autoruns: Some binaries not signed/verifiable, including "wmfhotfix.dll" in AppInit.

Process Explorer: Verifying the signatures of the modules loaded into the Internet Explorer process showed it: wmfhotfix.dll is the culprit. It is a virus in the disguise of an unofficial patch for the WMF vulnerability back from the days.

Now, wmfhotfix.dll is loaded into almost every process and can’t easily be removed.

Autoruns to the rescue:

Close all applications, stop as much services as possible, start Autoruns and disable and delete the AppInit entry for wmfhotfix.dll. Close Autoruns. Count to ten (i.e. wait for the registry cache to flush to disk), power-cycle the machine.

Delete the wmfhotfix.dll from the system32 directory. Scan your system for other occurrences of this file and delete those, too.

Lessons learned:

  1. Unofficial patches are just viruses waiting to be installed. You can’t trust any binary unless it’s signed or comes with some other means of verification.
  2. Rootkit detection and automatic binary verification should be at the core of any virus scanning software. At least one (free) product I checked failed to detect the badware and didn’t even warn about wmfhotfix.dll being loaded into their processes, too.
  3. It can happen to you. Maybe it already has.
This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s