Windows Shell Vulnerability, Fix Inside

Martin Brinkmann
Jul 17, 2010
Updated • Dec 12, 2014

A recently discovered vulnerability in Windows Shell allows remote code execution on affected computer systems if exploited correctly. A security advisory that was posted yesterday on Microsoft's Technet website confirms limited, targeted attacks that are exploiting a vulnerability in Windows Shell and the parsing of .lnk files.

Attackers can exploit the vulnerability to infect Windows operating systems during the connection of removable drives, if autoplay is enabled on the system. The attack uses a specifically prepared lnk-file, containing code that is executed because Windows Shell does not parse that parameter sufficiently.

Affected are all Microsoft operating systems since (and including) Windows XP. Microsoft mentions other attack scenarios besides removable devices. The vulnerability can also be exploited via WebDAV or network shares.

Microsoft mentions three mitigating factors in the security advisory. A successful attack will give the attacker the same rights as the active user. Limited usage rights would mean that the attack could have less impact than an attack on a system where the user has administrative rights.

Systems with autoplay disabled cannot be attacked during connection. A user would have to launch "Windows Explorer or a similar application and browse to the root folder of the removable disk" for the attack to be started.

Finally, "Blocking outbound SMB connections on the perimeter firewall will reduce the risk of remote exploitation using file shares".

A patch is currently not offered, a workaround exists however. The following steps need to be completed to protect a computer system:

Disable the displaying of icons for shortcuts

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  1. Click Start, click Run, type Regedit in the Open box, and then click OK
  2. Locate and then click the following registry key:
  3. Click the File menu and select Export
  4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click SaveNote This will create a backup of this registry key in the My Documents folder by default
  5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
  6. Restart explorer.exe or restart the computer.

Impact: Will disable all shortcut icons, which means for instance that all Windows 7 taskbar items or start menu items are showing as white icons, which makes identification hard to impossible.

Microsoft suggests to disable the WebClient service to block the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.

To disable the WebClient Service, follow these steps:

  • Click Start, click Run, type Services.msc and then click OK.
  • Right-click WebClient service and select Properties.
  • Change the Startup type to Disabled. If the service is running, click Stop.
  • Click OK and exit the management application.

Additional information are available at the Microsoft Security Advisory page and the Wilders Security forum.

Modules of current malware were first time detected by "VirusBlokAda" ( company specialists on the 17th of June, 2010 and were added to the anti-virus bases as Trojan-Spy.0485 and Malware-Cryptor.Win32.Inject.gen.2. During the analysis of malware there was revealed that it uses USB storage device for propagation.

You should take into consideration that virus infects Operation System in unusual way through vulnerability in processing lnk-files (without usage of autorun.inf file).

So you just have to open infected USB storage device using Microsoft Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware.

Malware installs two drivers: mrxnet.sys and mrxcls.sys. They are used to inject code into systems processes and hide malware itself. That's the reason why you can't see malware files on the infected USB storage device. We have added those drivers to anti-virus bases as Rootkit.TmpHider and SScope.Rookit.TmpHider.2. Note that both drivers are signed with digital signature of Realtek Semiconductor Corp. (

Thus, current malware should be added to very dangerous category causes the risk of the virus epidemic at the current moment.

After we have added a new recordes to the anti-virus bases we are admitting a lot of detections of Rootkit.TmpHider and SScope.Rookit.TmpHider.2 all over the world.

Expect a patch soon that is addressing the issue.


Previous Post: «
Next Post: «


  1. Anonymous said on July 19, 2010 at 3:18 pm

    lol, just try to use any windows without displayed links…

    boot to the head and welcome to the command line.

  2. Registry Cleanup said on July 18, 2010 at 8:14 pm

    I was not aware of this problem so thanks for letting us all know.. time to fix it.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.