VERSIONS AFFECTED
Microsoft Windows NT 4.0 Workstation
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Server, Enterprise Edition
Microsoft Windows NT 4.0 Server, Terminal Server Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
DESCRIPTION
According to the discoverer,
Windows uses a specific search order for executables that are defined in the Registry. If
those definition use relative path names instead of absolute path names then it is
possible to cause a Trojan to run instead of the legimate execuatable. The search order
used is as follows:
- The directory where the calling application loaded from
The current directory of the parent process
The 32-bit Windows system directory: System32
The 16-bit Windows system directory: System
The Windows directory: %SYSTEMROOT%
The directories listed in the PATH environment variable
DEMONSTRATION
During the system boot
sequence, any file named EXPLORER.EXE located in the boot drives root directory will load instead of the legitimate
version, normally located in the %SYSTEMROOT% directory.
VENDOR RESPONSE
Microsoft released a FAQ,
Support Online article Q269049, as well as patches for Windows
2000 and NT 4.0.
CREDIT
Discovered by Alberto Argones
End of Article
