A while ago, I got the opportunity to work on an interesting case where the customer’s Explorer process was showing a continuous increase in handle count. Using Process Explorer we could see that these handles were open to various Iexplore.exe processes, which were showing as terminated. Interestingly however, these Iexplore.exe processes were not being started by any user. They seemed to get created randomly, about one every half hour and almost immediately showing up as a terminated process handle under Explorer.exe.
So what was causing these processes to be launched? Putting these processes under a debugger with a breakpoint set on CreateProcess was an option, however we did not have access to the server and getting internet access on the server would be difficult. So I thought of giving Process Monitor a try. The idea was to get log captured for the processes Iexplore.exe and Explorer.exe for the operations process create, process start, and thread create . Also, we wanted to ensure that when we leave this running, Process Monitor did not fill up the pagefile, which is used as the default backing file.
So we did the following:
1. Launched Process Monitor with the following syntax “procmon /backingfile:E:\processlaunch.pml”
2. In the Filters menu, checked the option “Drop Filtered Events”.
3. Set filters for processes Explorer.exe and Iexplore.exe and also for operations process create, process start and thread create .
With this done, we let the server run for a couple of hours and got the logs. Here’s what we saw.
Now, looking at the thread stack for Explorer, process create , we see unknown module, with addresses 0x10003d2f,0x10002298,0x10002629.
First off 0x10000000 converts to 268435456. This is essentially greater than the 2 GB user mode, virtual address space limit. The box was running with the /3GB switch , so this is a valid user mode address; however Explorer.exe and Iexplore.exe are not /LargeAddressAware , which definitely looks suspicious.
Now looking at the stack information of the thread creation of Iexplore.exe we see the following:
Seems we have a binary, Linkinfo.dll, and its loading from %windir% directory. Now the file name seems genuine, however a legitimate version of a system file like Linkinfo.dll is supposed to be loaded from the System32 directory and not the %windir% directory. Also the box we were working with was running Windows Server 2003, and Windows Server 2003 file versions start as 5.2.3790.xxxx. This in combination with the load address of 0x10000000 makes this look out of the ordinary.
Doing a Bing search on Linkinfo.dll in the %windir% directory led me to this link:
Running a free Onecare online scan from the following link confirmed this, and was successful cleaning this up.
|Share this post :||
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.