Hidden Registry Entries

Having trouble getting rid of that dang malware on a Windows system? Does it keep starting up even though there are no obvious means by which it is doing so? Maybe it’s using a hidden registry entry.

<p>Secuna has an <a href="http://secunia.com/advisories/16560/">advisory</a> about the Windows registry editors, REGEDIT and REGEDT32.  If one creates a string in a registry key that is ‘overly long’, that string and any subsequent entries will be hidden from view in the two GUI registry editors.  It’s not clear if this is inappropriate defensive programming or a buffer overflow.</p>
<p>Secuna may have just stumbled across this by accident, but its’ more likely malware is actively exploiting this weakness.  SANS ISC has some <a href="http://isc.sans.org/diary.php?date=2005-08-24">workarounds</a>.