OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Barry Dorrans (barrydBANN.CO.UK)
Date: Mon Apr 29 2002 - 04:34:47 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Folks,

    About a month ago we noticed Tiscali icons (Windows URL shortcuts)
    appearing on work desktops. This was tracked back to Real One
    (eventually).

    We hunted around in the registry, discovering a real program,
    interesting named evntsvc (which looks like an attempt to blend the
    process into others windows processes). We removed the registry entry
    and thought no more about it.

    Last week, the dropped icon reappeared on our senior developer's
    machine. Lo and behold, the startup registry entry is back.

    Note that the icon dropping is done when your machine is idle. We've had
    a icon dropped at 6:00am in the morning on a Sunday (not a normal time
    for developers to be awake!), so Real is communicating back somewhere.

    I wouldn't have brought this up, but the fact that it adds itself back
    in is worrying. As for dropping icons, who knows what else it could
    drop?

    Details:

    RealPlayer version: 6.0.10.505 RealOne 'Free' package

    Registry Key Location:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Key Name: TkBellExe
    Value: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

    Put there unconditionally when RealOne is installed, stays there, and is
    recreated/updated when RealOne is started if you try to delete or change
    it. There is no option to disable this behaviour, although there IS an
    option within RealOne which supposedly makes it actively do stuff only
    when RealOne is being executed.

    This is under "Internet Settings" as "Only perform automatic services
    while RealOne Player is in use". When you try to Enabling this option,
    it begs you not to. When you enable it, it still DOES NOT remove the
    above registry key, however the evntsvc.exe process is terminated when
    RealOne is exited, and from that point on is started and closed in
    tandem with RealOne.

    Note that the 'Run' registry key is still there, so I assume it doesn't
    *allow* itself to start when realone isn't running.

    Regardless of the above setting, the TkBellExe registry key is still
    recreated/updated every time RealOne is run.

    So far the only apparent action of the evntsvc process was to create a
    desktop shortcut link to Tiscali's website, early in the morning. The
    initial memory footprint is 143kb - same as the exe size - in ram and
    about 450kb paged.

    There is a resolution: it seems that if you delete evntsvc.exe, then
    RealOne does not complain about not being able to run it, and it no
    longer creates the registry key. It's not exactly a documented technique
    though.

    ~

    Barry Dorrans - barrydidunno.org / barrydbann.co.uk
    Alex Fedida - alexsqueaple.net