5 Replies Latest reply on Jan 7, 2010 4:49 AM by Attila Polinger

    Buffer Overflow - explorer.exe KERNEL32.CreateFileA


      does anyone have know about the following Buffer Overflows :


      C:\WINNT\explorer.exeADVAPI32.RegCreateKeyExABO:Writable BO:Heap
      C:\WINNT\explorer.exeADVAPI32.RegOpenKeyExABO:Writable BO:Heap
      C:\WINNT\explorer.exeKERNEL32.CreateFileABO:Writable BO:Heap


      they occur - with these 3 positions - every day on different system - the first was a pc with a mail with a link to an internal local server share,

      if you click on this link the buffer overflows occurs


      could anyone help me ?

        • 1. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA

          Generally you will find that Buffer Overflows occur because of either poor programming in an application, or a security vulnerability that exists on your machine that a rogue computer (or application) is attempting to exploit.


          In your case, I believe the cause of your errors is another computer attempting to exploit vulnerabilities in the Microsoft Windows Operating system.


          First off, use WindowsUpdate to security patch your system. After applying all recommended updates and rebooting, do the errors still occur?

          • 2. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA

            Hello ,


            Thank you for the fast reply - we use WSUS - to patch the systems - but we dont know if it is a new vulnerability or something else ???

            In India and Brazil we have seen many W32\rimecud and W32\rimecud!mem on a explorer.exe - it could also be a new

            variant of it ??? Patches should be OK - this works fine ( we rollout them rapidly) .

            We need to catch it - but how ?





            Additional Details: ePO 3.61 Virusscan 8.7 Patch 1 Windows XP SP3 on 07.01.10 11:44:42 MEZ
            • 3. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA

              If the Windows patches are up to date, then I would be hesitant to think that it is a cause - although those two DLL's are vulnerable to quite a few Microsoft Security Vulnerabilities.


              Perhaps involve McAfee support to analyse a crashdump and get their opinion on what is causing it?


              Mo Aziz  has some good advice here: http://community.mcafee.com/message/101424#101424



              Message was edited by: Mal09 on 07/01/10 10:47:45 GMT
              1 of 1 people found this helpful
              • 4. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA
                Attila Polinger



                I would say, most likely, some malware have tried to plant itself on the system and VirusScan might have blocked this attempt. Explorer.exe, as a process, has a launch key in the registry, where everything that is registered there will be loaded under this process. You can check what other programs have been registered to load with Explorer: look at HKLM\SoftwareMicrosoftWindows\CurrentVersion\Explorer\ShellExecuteHooks. Here are registrations referring to another registry branch, where the actual file (.DLL for example) path/name can be found.


                On a system where this buffer overflows are detected by VirusScan, there might be the offending code activated as described above. It is advised to enable some Access Protection rules also, that would prevent code to plant themselves under Explorer.exe on all computers, lke the "Prevent programs registering to autorun."


                To kill the code which is activated, kill Exporer.exe then restart it using Task Manager (Ctrl-Alt-Del), it won't load the code again (until the next reboot if the above regkeys are still present.)





                1 of 1 people found this helpful
                • 5. Re: Buffer Overflow - explorer.exe KERNEL32.CreateFileA

                  Hello Mal09,


                  McAfee is already anlalysing this case and dump file - I would only look at the community additional - to get more input.