Yesterday I was working on a friend’s computer when clicking a link in Yahoo’s search results produced popup warnings, strange alert boxes and opened obviously rogue web sites in Internet Explorer 7.
I blamed Yahoo, but the same problem affected Google.
I thought the web site for the link was having a cross-site scripting issue or had been hacked, but adding it to "Restricted Sites" and checking with Fiddler2 cleared it from my allegations.
I checked the extensions running in Internet Explorer and verified the manufacturers’ signatures (Google Toolbar is not signed – what are they thinking?)
Again, nothing suspicious there.
OK, we need to call in the troops.
Rootkit Revealer, Autoruns, Process Explorer, all from SysInternals, ahem, Microsoft Technet.
Rootkit Revealer check: Negative.
Autoruns: Some binaries not signed/verifiable, including "wmfhotfix.dll" in AppInit.
Process Explorer: Verifying the signatures of the modules loaded into the Internet Explorer process showed it: wmfhotfix.dll is the culprit. It is a virus in the disguise of an unofficial patch for the WMF vulnerability back from the days.
Now, wmfhotfix.dll is loaded into almost every process and can’t easily be removed.
Autoruns to the rescue:
Close all applications, stop as much services as possible, start Autoruns and disable and delete the AppInit entry for wmfhotfix.dll. Close Autoruns. Count to ten (i.e. wait for the registry cache to flush to disk), power-cycle the machine.
Delete the wmfhotfix.dll from the system32 directory. Scan your system for other occurrences of this file and delete those, too.
- Unofficial patches are just viruses waiting to be installed. You can’t trust any binary unless it’s signed or comes with some other means of verification.
- Rootkit detection and automatic binary verification should be at the core of any virus scanning software. At least one (free) product I checked failed to detect the badware and didn’t even warn about wmfhotfix.dll being loaded into their processes, too.
- It can happen to you. Maybe it already has.