Click here to Skip to main content
Click here to Skip to main content

Watch Out!

, 14 Jan 2001 CPOL
Rate this:
Please Sign up or sign in to vote.
How can one stop you from running an application on your system

Introduction

You people may have already received an application from your friend (or will receive it in the next few days). If you run that application on your system, you will no longer be able to run any application on your system thereafter. You will certainly try to logoff/logon, restart, shutdown your system but with no success in running any application. Another point which I should mention here is that it will not stop you from running applications that are associated with file type, e.g. txt file double clicking that file will open Notepad.

When you click any shortcut or type the .exe name in start/run, you will see a Message Box with greetings. That also adds an icon in your system tray.

Some sharp guys want to see the Registry for curing the system, but oops!, you can't run Regedit.exe because it is an application too.

Now I would like to discuss what that application actually does with our system. It does two things:

  1. Force the .exe file to be open with its own file (possibly WinTask.exe). If you try to run .exe files, system looks for that application. And that application just displays a message box.
  2. Every time when user will login/restart system, it run its own .exe file to make sure it is the first step. Just by making its own string value name "Win32BaseServiceMOD" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The second step is straight forward. But I would like to discuss the first step in more detail.

File Class

The terms file association and file class essentially mean the same thing. A file association or file class consists of all the files that have the same filename extension. File classes are created with the registry. Once a file class has been created, you can customize the behavior of its files. For instance, you can specify the application used to open the file when it is double-clicked, you can replace the standard file icon with a custom icon or add items to the context menu. For more details, look for topic "Creating a File Association" in MSDN.

This virus like application changes the application associated with the EXE files by changing the default value of the key, HKEY_CLASSES_ROOT\exefile\shell\open with its application name.

Now the simple solution is to change that value to "%1"%*. But how? You can't run the Regeidt.exe. Don't worry, another solution is there, make a new .reg file with text:

REGEDIT4
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
""="\"%1\"%*"

Then double click this file to make changes in the Windows Registry.

Run Regedit.exe and look for the key mentioned in the second step. Delete value name "Win32BaseServicesMOD".

Now you are in the same position as you were before running that virus like application.

History

  • 14th January, 2001: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Mumtaz Zaheer
Web Developer
Pakistan Pakistan
Mumtaz Zaheer is working as Senior System Analyst with Information Architects, Pakistan (http://www.info-architects.com/).

Comments and Discussions

 
QuestionHow .exe can run under Windows as .com PinsubeditorJonathan Russell16-Oct-04 1:43 
GeneralNavidad virus PinmemberMichael Dunn14-Jan-01 23:15 
GeneralRe: Navidad virus PinmemberMumtaz Zaheer15-Jan-01 20:28 
GeneralRe: Navidad virus PinmemberGennady Oster22-Jan-01 5:28 
GeneralRe: Navidad virus PinmemberMumtaz Zaheer22-Jan-01 19:22 
GeneralRe: Navidad virus PinmemberGennady Oster22-Jan-01 21:18 
GeneralRe: Navidad virus PinmemberAnonymous22-Jan-01 23:55 
GeneralRe: Navidad virus PinmemberMumtaz Zaheer23-Jan-01 6:26 
Generaldrat trojan, posible solution ... PinmemberAnonymous26-Jun-02 0:44 
GeneralMore renamings Pinmembercygnus13-Aug-02 21:29 
GeneralRe: More renamings PinmemberSuperKoko23-Jan-05 11:03 
An other method (more complicated), but really fun.
 
Because launching a dos or console application from a command line needs to redirect standard output to the console, in this case, windows does not use the default association to open the .exe or .com
Moreover .pif links permits to change various options like the font size of the window, and don't use default association.
You can launch command.com from command.pif.
You can use a dos hex editor to modify regedit.exe PE optional header and change the application to a console application.
For regedit.exe version 4.10.1998, changing byte 9E24 from 02 to 03 transform the application to a console application.
Now, you can execute the new version of regedit.exe without any problem and change associations like you want !
GeneralRe: drat trojan, posible solution ... Pinmembersaqib chuadhry14-Jul-06 1:16 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.141223.1 | Last Updated 15 Jan 2001
Article Copyright 2001 by Mumtaz Zaheer
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid