VERSIONS AFFECTED

Microsoft Windows NT 4.0 Workstation
  • Microsoft Windows NT 4.0 Server
  • Microsoft Windows NT 4.0 Server, Enterprise Edition
  • Microsoft Windows NT 4.0 Server, Terminal Server Edition
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • DESCRIPTION

    According to the discoverer, Windows uses a specific search order for executables that are defined in the Registry. If those definition use relative path names instead of absolute path names then it is possible to cause a Trojan to run instead of the legimate execuatable. The search order used is as follows:

    • The directory where the calling application loaded from
  • The current directory of the parent process
  • The 32-bit Windows system directory: System32
  • The 16-bit Windows system directory: System
  • The Windows directory: %SYSTEMROOT%
  • The directories listed in the PATH environment variable
  • DEMONSTRATION

    During the system boot sequence, any file named EXPLORER.EXE located in the boot drives root directory will load instead of the legitimate version, normally located in the %SYSTEMROOT% directory.

    VENDOR RESPONSE

    Microsoft released a FAQ, Support Online article Q269049, as well as patches for Windows 2000 and NT 4.0.

    CREDIT
    Discovered by Alberto Argones