5/5 - (1 votes)

ZHPDiag – Module O34 – BootExecute (BEX)

For its operation, Microsoft Windows NT uses a session manager (Session Manager) at startup.

LSA describes the parts of the local security authority (LSA) that applications can use to authenticate and register users on the local system. It also describes how to create and call authentication packages and security packages. The LSA authentication functions allow you to write an authentication package or a combined authentication/security support provider (SSP/AP) package.

Some healthy software uses this functionality to perform specific operations such as disk defragmentation, for example O&O Software (O&O Defrag) or Raxco Software (PerfectDisk Boot Time Defragmentation). Other software allows you to carry out cleaning, such as Lavasoft AB (Ad-Aware Boot Cleaner) or SurfRight B.V. (Hitman BootDelete).

However, misuse of this vulnerability allows the execution of a malware program during system startup.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager], with data inserted into the Bootexecute value.

ZHPDiag Overview

—\\ BootExecute (O34)
O34 – HKLM BootExecute: (autocheck autochk *) – File not found
O34 – HKLM BootExecute: (OODBS) (.O&O Software GmbH – O&O BootTimeDefrag.) — C:\Windows\system32\OODBS.exe

ZHPFix action

O34 – HKLM BootExecute: ( {DataName} )- (…) — {FileName}

{Key}: Registry Key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
{DataName} : Data of the value of the key ‘BootExecute’

1) The tool deletes the file {FileName}

Example of detection

O34 – HKLM BootExecute: (1028560) (…) — C:\Windows\system32\1028560.exe

Links

* Local Security Authority Subsystem Service
* LSA Authentication (Microsoft)
* LSA Secrets

About the Author

Back to top