5/5 - (1 votes)

ZHPDIAG – MODULE O18 (PAPP)

Installing a protocol handler involves copying the dll(s) to an appropriate location in the %ProgramFiles% directory and then registering the protocol handler through the registry.

The installer application can also add search root and scope rules to set a default scan scope for the shell data source.

The IProtocolHandlerSite interface is used to instantiate a filter handler, which is hosted in an isolated process. The appropriate filter handler is obtained for a specified persistent class identifier (CLSID), document storage class, or file name extension. The advantage of asking the host process to bind to IFilter is that the host process can manage the process of locating an appropriate filter handler and control the security involved in calling the handler.

This module lists modifications to default protocols to track extra-protocol connections and protocol hijackers.

The “Filter” and “Handler” subkeys of the “Protocols” key are often used by malware to automatically start dynamic resources. A technique widely used by Potentially Unwanted Software (LPI/PUP).

The search is carried out on certain Registry keys such as:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\deflate]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\gzip] (From Vista)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim]

ZHPDiag Overview

—\\ Additional protocol and protocol hacking (O18)
O18 – Filter: text/html – {950238FB-C706-4791-8674-4D429F85897E} – (no file)
O18 – Protocol: msnim – {008030A1-22C1-4009-854F-8E305202313F} – “C:\PROGRA~1\MSNMES~1\msgrapp.dll”

—\\ Additional protocol and protocol hacking (O18)
O18 – Filter: deflate – {8f6b0360-b80d-11d0-a9b3-006097942311} – C:\Windows\system32\urlmon.dll
O18 – Filter: gzip – {8f6b0360-b80d-11d0-a9b3-006097942311} – C:\Windows\system32\urlmon.dll

—\\ Additional protocol and protocol hacking (O18)
O18 – Handler: cdl – {3dd53d40-7b8b-11D0-b013-00aa0059ce02} . (.Microsoft Corporation – OLE32 Extensions for Win32.) — C:\Windows\system32\urlmon.dll

ZHPFix action

O18 – {SubBey}: {ValueKey} – {KeyCLSID} . (…) — {FileName}

{Key} : Registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS]
{SubKey}: Subkey of the key {Key} such as “Handler" or "Filter"
{KeyCLSID}: Value data “CLSID” of the key {SubKey}
{FileName}: Default key value [HKLM\SOFTWARE\Classes\CLSID\ {KeyCLSID} \InprocServer32]

1) The tool removes {KeyCLSID}
2) The tool deletes the key [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSIDKey}]
3) The tool deletes the key [HKEY_CLASSES_ROOT\CLSID\{CLSIDKey}]
4) The tool deletes the file {FileName}

Example of detection

O18 – Handler: base64 – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protocol for IE w/c.) — C:\Program Files\BrowserCompanion\tdataprotocol.dll
O18 – Handler: chrome – {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} . (.Blabbers Communications Ltd – Blabbers data protocol for IE w/c.) — C:\Program Files\BrowserCompanion\tdataprotocol.dll

Links

Installing and Registering Protocol Handlers

About the Author

Back to top