Back in November 2007, I’ve seen this technique used by one of the variant of Worm called W32/Drom. The technique was not to execute the malicious file or component of the worm but to prevent Antivirus Program from running.  The Worm queries the following Antivirus registries to get the Installation Path, once acquired, it creates a folder named “ws2_32.dll” with Hidden and System attributes on that location.

regkeys

As I test this technique, it prevented the program from running as it first loads the “ws2_32.dll” folder in the current directory.

The author of this worm may have tested that the aforementioned Antivirus programs call the DLL “_ws2_32.dll”_not using the full path name, but instead it uses only the file name. The search path used by windows to locate a DLL has been exploited by the author of this worm to evade certain program from running.

And now 2010, another DLL Hijacking technique was introduced which may have been used by the attacker to infect the system. The technique is to drop file with a vulnerable file type together with the malicious DLL from within a directory controlled by the attacker.

We expect malwares using this technique and detect this malware.