Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Win98 vulnerability?

- - - - -

  • Please log in to reply
50 replies to this topic

#1
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag
Tihiy has written a very interesting Network activity indicator, described in http://www.msfn.org/...mp;#entry854139 and downloadable from http://tihiy.ahanix.org/IpTest.zip

I like it, its system tray icon looks really great, it can shut off the connection to the internet. But what is really interesting is that it doesn't show up in Task Manager (alt-ctl-del), or in the process viewer PrcView v3.7.3.1, or in Startup Organizer by Metaproducts. If there weren't an icon in the system tray, I wouldn't know it was running.

Is there some software which readily indicates under Win98 that programs like Tihiy's were added/installed/are running? (Well, STOBJECT.DLL is indicated in MS System Information -> Software Environment -> 32-bit Modules Loaded, but who's looking there regularly?)

Edited by Multibooter, 05 May 2009 - 11:18 AM.



How to remove advertisement from MSFN

#2
Tihiy

Tihiy

    the creator

  • Member
  • PipPipPipPipPipPipPip
  • 1,932 posts
  • Joined 19-November 04
  • OS:Windows 7 x64
  • Country: Country Flag

Donator

Posted Image
Autoruns does.

Edited by Tihiy, 01 May 2009 - 12:59 PM.


#3
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

Autoruns does.

Thanks Tihiy. I downloaded v9.41 from http://technet.micro...s/bb963902.aspx but under plain-vanilla Win98SE its program window doesn't appear on the screen, even if the Task manager shows Autoruns. Instead, it tries to call home to Microsoft and in the process it attempts to hang my old Tiny firewall.

What could be the last/best version which works under plain-vanilla Win98SE?

Edited by Multibooter, 01 May 2009 - 03:02 PM.


#4
whatever420

whatever420

    MSFN Expert

  • Member
  • PipPip
  • 114 posts
  • Joined 30-May 05
  • OS:98SE
  • Country: Country Flag

What could be the last/best version which works under plain-vanilla Win98SE?

Posted Image

Autoruns 9.13

Edited by whatever420, 01 May 2009 - 03:59 PM.

OS: WINDOWS 98SE MB: P3V4X (1006 004) CPU: P3 850 @ 1055 MHZ RAM: 768 MB of CL2 PC133 HDD: 2 WD1600AAJB-00J3A0 (160 GIG) VIDEO: GEFORCE FX 5500 (77.72) MONITOR: SONY CPD-100ES AUDIO: SBLIVE! (SB0228) DVD: BENQ 1655 (BCDB) / ASUS 1814BL (1.14)

#5
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

Autoruns 9.13[/url]

Thanks. v9.13 with the digital signature of 25-Feb-2008, runs fine under Win98SE. I also tried v9.35, but this version didn't run anymore. Are there any versions inbetween which still run under Win98SE, or is v9.13 really the last one?

Addendum: just tried v9.21, it doesn't run either under Win98SE

Edited by Multibooter, 01 May 2009 - 05:15 PM.


#6
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

Autoruns does.

Thanks Tihiy. I downloaded v9.41 from http://technet.micro...s/bb963902.aspx but under plain-vanilla Win98SE its program window doesn't appear on the screen, even if the Task manager shows Autoruns. Instead, it tries to call home to Microsoft and in the process it attempts to hang my old Tiny firewall.

What could be the last/best version which works under plain-vanilla Win98SE?

Archiving this type of information in the following thread:

System Internals Utilities on Win9x

As whatever420 stated: v9.13 works. Beware of testing more recent versions on Win9x. Besides not actually closing when you exit, they can cause some ugly side effects to USB peripherals like keyboards. I would not attempt this with flashdrives or USB harddrives attached!

... Let him who hath understanding reckon the Number Of The Beast ...


#7
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

As whatever420 stated: v9.13 works. Beware of testing more recent versions on Win9x. Besides not actually closing when you exit, they can cause some ugly side effects to USB peripherals like keyboards. I would not attempt this with flashdrives or USB harddrives attached!

Thanks CharlotteTheHarlot. I had noticed that the higher versions stayed in Task Manager, but wasn't aware of possible dangers to my USB HDDs, which I luckily hadn't attached.

Very often the last version of a software for Win98 is full of new and unresolved/hard-to-resolve issues (e.g. NVidia GeForce driver). I have also come across Autoruns v9.00, digitally signed 14-Dec-2007 (v9.13 is digitally signed 25-Feb-2008). Is there a v9.12 or something between v9.00 and v9.13? Maybe the second-to-the-last version would be safer, especially given this USB warning.

Edited by Multibooter, 01 May 2009 - 08:10 PM.


#8
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 5,937 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Is there a v9.12 or something between v9.00 and v9.13? Maybe the second-to-the-last version would be safer, especially given this USB warning.

The link provided by Whatever420 is to FileHippo software archive. There you'll also find v. 9.12, together with various other previous (and latter, but those are irrelevant) versions of Autoruns.

#9
Queue

Queue

    Member

  • Member
  • PipPip
  • 164 posts
  • Joined 24-May 08
I've had great luck using
http://www.steelbytes.com/?mid=47
to force newer versions of Sysinternals stuff work on Win9x. Newer versions of ProcExp even have more doodads that are functional on Win9x (namely a third graphed display).

Queue

#10
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

The link provided by Whatever420 is to FileHippo software archive. There you'll also find v. 9.12, together with various other previous (and latter, but those are irrelevant) versions of Autoruns.

Thanks dencorso, somehow I hadn't seen the link

#11
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

Very often the last version of a software for Win98 is full of new and unresolved/hard-to-resolve issues (e.g. NVidia GeForce driver). I have also come across Autoruns v9.00, digitally signed 14-Dec-2007 (v9.13 is digitally signed 25-Feb-2008). Is there a v9.12 or something between v9.00 and v9.13? Maybe the second-to-the-last version would be safer, especially given this USB warning.

Just inventoried all the versions I had and dropped them into this post.

... Let him who hath understanding reckon the Number Of The Beast ...


#12
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 729 posts
  • Joined 15-December 06
  • OS:98
  • Country: Country Flag
stobject.dll does show up in Process Explorer in the lower pane when it's set to display DLLs. The regsitry key used to load it, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad has been used by some malicious code.
From Bleeping computers:

ShellServiceObjectDelayLoad - This Registry contains values in a similar way as the Run key does. The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.

The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.
Registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

The objects loaded by this key are DLLs loaded by explorer and will not show up on a process monitor as a separate process. The objects in this key are loaded only when explorer starts or restarts. Not all real time autostart monitors watch this key.

If you're concerned about the potential malicious use of this key, a DOS batch file called from autoexec.bat can be your best ally. The batch file can either cover the entire registry or just specific keys with command line entries for regedit.
Rick

#13
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

stobject.dll does show up in Process Explorer in the lower pane when it's set to display DLLs. The regsitry key used to load it, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad has been used by some malicious code.
From Bleeping computers:

ShellServiceObjectDelayLoad - This Registry contains values in a similar way as the Run key does. The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.

The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.
Registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

The objects loaded by this key are DLLs loaded by explorer and will not show up on a process monitor as a separate process. The objects in this key are loaded only when explorer starts or restarts. Not all real time autostart monitors watch this key.

If you're concerned about the potential malicious use of this key, a DOS batch file called from autoexec.bat can be your best ally. The batch file can either cover the entire registry or just specific keys with command line entries for regedit.

Indeed. The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell. Thankfully we have Autoruns to illustrate them.

This particular entry point has always been used by Microsoft to load its controversial WebCheck.dll among other things (there was lots of discussion back in the day about whether it was necessary at all). You can see it is present in that screenshot above from Tihiy. This hook persists in WinXP as well.

I decided long ago that all these autoloading registry locations are way too much exposure and I flushed them all to empty on Win9x with a REG file. But your mileage may vary because if I remember correctly, there were some other related details that required some attention also, namely the keys ending with WebCheck], SyncMgr], Scheduled_Updates], and possibly some more (perhaps Protected Storage and the Event System).

Obviously the plugging of this autoloading hook is a double-edged sword however, since it would also preclude using this excellent network systray utility developed by Tihiy.

... Let him who hath understanding reckon the Number Of The Beast ...


#14
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 729 posts
  • Joined 15-December 06
  • OS:98
  • Country: Country Flag
I removed the WebCheck entries on all my 9X and 2K systems with no resulting problems. On my 98FE box, Tihiy's network monitor is the only entry in that key. On this 98SE, that key was removed with Internet Explorer. When I first started building the startup batch file, I was covering the different autostart locations individually. After a while, I decided to replace the entire registry instead of individual keys. This way, the same batch file worked on all the single user 98 systems and addressed several other problems as well. On my FE box, the batch file takes a bit over 1 minute to complete at startup, partly due to the number of files and folders it overwrites and partly because of the 366mhz processor. Even so, I consider it a small price to pay for malware protection and for starting every session with a clean, optimized registry. The only time it causes a problem is when I install something and forget to make new backups before rebooting.

#15
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell. Thankfully we have Autoruns to illustrate them. This particular entry point has always been used by Microsoft to load its controversial WebCheck.dll

Webcheck.dll was also displayed by Autoruns on my laptop, which runs Internet Explorer v6.0.2600, downloaded on 20-Sep-2001 from MS and re-installed after a clean install of Win98SE on 10-Oct-2003. Webcheck.dll on my laptop has 258.048 bytes, is displayed as v6.00.2600.0000 - but with a file modification date of 10-Oct-2003, 2 years after the original download. Iexplore.exe is v6.00.2600.0000 but has the modification date 17-Aug-2001 and ie6setup.exe is digitally signed 20-Aug-2001 [i.e. before Sep.11, 2001] IE probably called home during the installation on 10-Oct-2003., but why would webcheck.dll have a much later modification date than Iexplore.exe?

BTW, are the excellent postings about webcheck.dll (of 2005) http://www.msfn.org/...opic=46066&st=0 still Ok with todays new hardware?

Edited by Multibooter, 03 May 2009 - 12:39 AM.


#16
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag
Under Win98 there are 4 tabs of autoruns/vulnerabilities displayed by Autoruns, but when double-clicking under WinXP on the same Autoruns v9.13 16 (sixteen!) tabs of autoruns/vulnerabilities are displayed. 2 screenshots could explain the key advantage of Win98 better than a 1000 words.

Edited by Multibooter, 03 May 2009 - 02:23 AM.


#17
Queue

Queue

    Member

  • Member
  • PipPip
  • 164 posts
  • Joined 24-May 08
Simply having a location that will automatically run an executable (or executable code of some sort) does not count as a vulnerability. By that definition, the fact that Windows can run arbitrary executables whatsoever would constitute a vulnerability.

Yes, it is convenient that fewer such locations exist in Win9x, but that doesn't automatically count as an advantage or disadvantage, it's simply a difference. It's only convenient from the human perspective of knowing all those locations off the top of your head. On the computer's end, enumerating four or a dozen different locations is a negligible difference.

A vulnerability would be a remotely triggerable execution of code, or execution of privileged code in a non-privileged environment. The latter isn't really an issue in Win9x since everything is privileged (some consider this a vulnerability, but it's simply by design), the former has occured in many iterations of all significant OSes.

Queue

#18
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • Joined 24-September 07
  • OS:none specified
  • Country: Country Flag

The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell. Thankfully we have Autoruns to illustrate them. This particular entry point has always been used by Microsoft to load its controversial WebCheck.dll

Webcheck.dll was also displayed by Autoruns on my laptop, which runs Internet Explorer v6.0.2600, downloaded on 20-Sep-2001 from MS and re-installed after a clean install of Win98SE on 10-Oct-2003. Webcheck.dll on my laptop has 258.048 bytes, is displayed as v6.00.2600.0000 - but with a file modification date of 10-Oct-2003, 2 years after the original download. Iexplore.exe is v6.00.2600.0000 but has the modification date 17-Aug-2001 and ie6setup.exe is digitally signed 20-Aug-2001 [i.e. before Sep.11, 2001] IE probably called home during the installation on 10-Oct-2003., but why would webcheck.dll have a much later modification date than Iexplore.exe?

BTW, are the excellent postings about webcheck.dll (of 2005) http://www.msfn.org/...opic=46066&st=0 still Ok with todays new hardware?

Honestly, I never saw that thread before! (was before my time here). Amazingly, in Post #8, I see the great MDGx has a REG file that is almost identical to one I handmade many years ago. He even mentions the SENS components which I also yanked out by the roots! Consider this operation independently verified. :thumbup Nice thread you found there. Bookmarking for later reading.

What I ended up doing was very extreme and very complicated. I essentially removed many of the core components like the previously mentioned WebCheck/Sens to other things like Power Management and parts of SysTray and WBEM/WinMgmt and EventLog/Event System and much more. The only downside I see is that a FlashDrive left in a USB port will prevent shutdown (no big deal). The speed gain and overall stability is substantial, and that was the whole point anyway.

About those file stamps, without looking at other archives (WinME/2K/XP etc) I find these versions of WebCheck.dll in my Win98se stash (MSIE never was used above version 6 of course) ...

WEBCHECK DLL ... 342,800 ... 09-18-97 ... 11:28a ... Webcheck.dll_47117123WEBCHECK DLL ... 356,352 ... 05-11-98 .... 7:01p ... Webcheck.dll_47231100 (Win98)WEBCHECK DLL ... 274,704 ... 02-24-99 .... 3:10p ... Webcheck.dll_5002014200 (Corel 10)WEBCHECK DLL ... 274,704 ... 03-25-00 ... 12:11p ... Webcheck.dll_50023141000WEBCHECK DLL ... 274,704 ... 04-23-99 ... 10:22p ... Webcheck.dll_50026143500 (Win98se)WEBCHECK DLL ... 258,048 ... 08-17-01 ... 10:34p ... Webcheck.dll_60026000000 (MSIE6)WEBCHECK DLL ... 258,048 ... 08-29-02 .... 7:07a ... Webcheck.dll_60028001106(MSIE6sp1)
Maybe the file date/time/size will be of some comparative use to you. I see the default Win98se, then MSIE6 and SP1. I am pretty sure that it was between 2001 and 2002 that I physically stopped these features from running. If you are in need of more info, it is easy enough to extract the unaltered files from the original distros (e.g., MSIE offline setup cabs). I defintely have them somewhere.

IMPORTANT REMINDER for others that may be reading: cutting out these and other core components is not for the faint-hearted. Having spare good copies of System.dat and User.dat handy for quick replacement from DOS is vital and will rescue you from the inevitable system stop at bootup!

... Let him who hath understanding reckon the Number Of The Beast ...


#19
BenoitRen

BenoitRen

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 988 posts
  • Joined 21-October 06
  • OS:95
  • Country: Country Flag

Indeed. The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell.

I searched my registry and this key doesn't exist on my system.
Using Windows 95 OSR 2.5
SeaMonkey - surfing the net has never been so suite
Posted ImageLight Blue Ribbon Campaign for Freedom of Skin

#20
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 729 posts
  • Joined 15-December 06
  • OS:98
  • Country: Country Flag

IMPORTANT REMINDER for others that may be reading: cutting out these and other core components is not for the faint-hearted. Having spare good copies of System.dat and User.dat handy for quick replacement from DOS is vital and will rescue you from the inevitable system stop at bootup!

I'd strongly suggest a full system backup before attempting any major modifications. As for protecting the registry, I highly recommend TestRun for those who aren't proficient in DOS. TestRun is a collection of batch files that makes copies of the registry and core configuration files and allows you to experiment on the copies while your originals stay safe. Anyone who is still learning DOS should study those batch files. They're good examples of just how powerful a few lines of text can be.
Rick

#21
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • Joined 21-March 08
  • OS:98SE
  • Country: Country Flag

Maybe the file date/time/size will be of some comparative use to you.

On my dual-core desktop, which I started to set up very carefully about a year ago, webcheck.dll under Win98SE is 259.344 bytes, v5.50.4522.1800, modification date 20-Oct-2000. The modification date looks Ok, it's from Internet Explorer v5.5 SP1.

Since in general I try to stay away, under Win98SE, from US software created after Sept.11, 2001, a file with a modification date of 10-Oct-2003 raised a red flag with me.

BTW, under Win98SE, when you run Autoruns v9.13 [digitally signed 25-Feb-2008] then click on -> Help -> Help, then on the first item "Autoruns" in the list of contents, autoruns.exe tries to call home to origin-codecs.microsoft.com [65.55.13.243], port 80-TCP. What is the last version of Autoruns/autoruns.chm [file modification date 14-Dec-2007] which doesn't call home?

Edited by Multibooter, 03 May 2009 - 11:34 AM.


#22
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 5,937 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Since in general I try to stay away, under Win98SE, from US software created after Sept.11, 2001, a file with a modification date of 10-Oct-2003 raised a red flag with me.

Well 9/11 is a dark date, and I think we'll mourn those dead in that day forever. :( That said, I fail to see the cause-effect relation between 9/11 and software. Maybe I'm being too naive. Could you please elaborate?

#23
Drugwash

Drugwash

    MSFN Expert

  • Member
  • PipPipPipPipPipPip
  • 1,259 posts
  • Joined 21-June 06
  • OS:98SE
  • Country: Country Flag
As I've already mentioned a few times in these forums, Codestuff Starter - albeit old - is pretty good at managing startup/running items (under 2000+ it can also display/manage services):

[attachment=25787:62750596.png]

#24
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 729 posts
  • Joined 15-December 06
  • OS:98
  • Country: Country Flag

Since in general I try to stay away, under Win98SE, from US software created after Sept.11, 2001, a file with a modification date of 10-Oct-2003 raised a red flag with me.

Well 9/11 is a dark date, and I think we'll mourn those dead in that day forever. :( That said, I fail to see the cause-effect relation between 9/11 and software. Maybe I'm being too naive. Could you please elaborate?

Call it a distrust of the powers that be and their policy of domestic surveillance implemented after that date and its potential effects on software and operating systems. This was discussed in this thread starting at post 149.
Rick

#25
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 5,937 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Thanks, herbalist, for the swift reply and precise pointer. It is a quite intersting exchange of ideas you and Multibooter had there, and lends itself for much reflexion. BTW, the SSM page is no more, but here is a working link for people to get ssm-2.0.8.583-free. It does rock! :thumbup ...and so do you! :yes:

Edited by dencorso, 03 May 2009 - 10:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users