ZHPDiag – Module O34 – BootExecute (BEX)
For its operation, Microsoft Windows NT uses a session manager (Session Manager) at startup.
Some healthy software uses this functionality to perform specific operations such as disk defragmentation, for example O&O Software (O&O Defrag) or Raxco Software (PerfectDisk Boot Time Defragmentation). Other software allows you to carry out cleaning, such as Lavasoft AB (Ad-Aware Boot Cleaner) or SurfRight B.V. (Hitman BootDelete).
However, misuse of this vulnerability allows the execution of a malware program during system startup.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager], with data inserted into the Bootexecute value.
ZHPDiag Overview
—\\ BootExecute (O34)
O34 – HKLM BootExecute: (autocheck autochk *) – File not found
O34 – HKLM BootExecute: (OODBS) (.O&O Software GmbH – O&O BootTimeDefrag.) — C:\Windows\system32\OODBS.exe
ZHPFix action
O34 – HKLM BootExecute: ( {DataName} )- (…) — {FileName}
{Key}: Registry Key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
{DataName} : Data of the value of the key ‘BootExecute’
1) The tool deletes the file {FileName}
Example of detection
O34 – HKLM BootExecute: (1028560) (…) — C:\Windows\system32\1028560.exe
Links
* Local Security Authority Subsystem Service
* LSA Authentication (Microsoft)
* LSA Secrets