Hi @ll,
the $*&#ware by the name of "McAfee Security Scanner Plus" that Adobe dares
to push to unsuspecting users of Microsoft Windows trying to get flash player
from their main distribution page <hxxp://get.adobe.com/flashplayer/> was
developed, packaged and tested by people who obviously never heard of "long"
filenames which may contain spaces.
>From <http://msdn.microsoft.com/library/cc144175.aspx>
or <http://msdn.microsoft.com/library/cc144101.aspx>:
| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.
When the unsuspecting Joe Average clicks the "Install now" button on the
above mentioned download page, but forgets to deselect the "optional offer"
McAfee Security Scanner Plus before, a file named
"install_flashplayer13x32_mssa_aaa_aih.exe"
is downloaded to directory "C:\Users\Joe Average\Downloads".
Following the instructions displayed after the download, Joe Average opens
the download directory and double clicks
"install_flashplayer13x32_mssa_aaa_aih.exe"
On recent versions of Microsoft Windows this triggers the user account
control, asking Joe Average for consent to continue with administrative
privileges.
"install_flashplayer13x32_mssa_aaa_aih.exe"
now copies itself to the TEMP directory and executes its copy with the
argument (note the missing quotes.-)
{RemoveFile:C:\Users\Joe Average\Downloads\install_flashplayer13x32_mssa_aaa_aih.exe}
The copy then downloads its payload "gtbcheck.exe", "install_flash_player.exe"
and "SecurityScan_Release.exe" into the directory
"C:\Users\Joe Average\AppData\Local\Adobe\AIH.<40_hex_digits>\"
and executes these three programs in succession.
The last, "SecurityScan_Release.exe", an NSIS installer, unpacks its payload
into directory "C:\Program Files\McAfee Security Scan\<version>\" and calls
Windows' CreateProcess() function (see above) with the UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /Service
This command line now runs the rogue program C:\Program.exe which was placed
there waiting for some dimwit of a developer to call CreateProcess() with an
unquoted command line.
Fortunately Joe Average (really: his Administrator) had a hunch and placed
<http://home.arcor.de/skanthak/download/SENTINEL.EXE> as C:\Program.exe on
his system which displayed a message box to Joe Average informing him that
some crappy software may have just run malware on his PC.
This caught the silly beginners mistake of a company that brags with
| For award-winning customer service, please visit our Web
| site that will have answers to almost all questions concerning
| our company:
| ==> http://service.mcafee.com
in automated replies to mail sent to <support@mcafee.com> but does not
provide a mailbox to report bugs or vulnerabilities.
JFTR: english versions of Windows have a "Program Files" directory for
nearly 20 years now. That should REALLY be enough time for EVERY
programmer to learn how to properly handle pathnames with spaces.
To complete the story: when Joe Average noticed what was done to him he
opened the Windows control panel and went to uninstall programs, then
selected "McAfee ..." and clicked "uninstall".
This started "C:\Program Files\McAfee Security Scan\uninstall.exe"
which unpacked its payload "Au_.exe" (see above: it's an NSIS installer)
to TEMP and called it with the argument (again note the missing quotes)
_?=C:\Program Files\McAfee Security Scan\
"Au_.exe" in turn called Windows' CreateProcess() function with the
(you guess it) UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver
which again led to execution of C:\Program.exe
regards
Stefan Kanthak
