http://bugs.winehq.org/show_bug.cgi?id=14285
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net
--- Comment #4 from Anastasius Focht focht@gmx.net 2008-07-13 17:58:51 --- Hello,
amazing how many different versions/builds/mods of this malware^H^H^H^H^H^H^Hnuisance exist. A bit of googling and and I found this list of various Messenger versions out in the wild: http://www.msgshit.com/downloads/cat/MSN%20Versions
The v8.5 download there links to http://get.live.com/ which provides some "Windows Live" installer "WLInstaller.exe". That one isn't useful at all because it depends on Windows Update Agent/Client.
I found one "Windows Live Messenger 2008 v8.5" msi installer package here: http://dl11.chip.de/download/5aa1434a3fb22b6a544241770d32fd7a/487a43f0/56831...
Bug reporter: please provide a downlink link next time, where you got the stuff from.
In short: There is no installer gui to be shown and the app installs despite errors/fixme's!
Initially I did: WINEDEBUG=+tid,+seh,+msi,+relay Which showed some custom actions failing.
--- snip --- 002c:Ret PE DLL (proc=0x5b599b,module=0x5a0000 L"msi2b7d.tmp",reason=PROCESS_ATTACH,res=(nil)) retval=1 .. 002c:trace:msi:ACTION_CallDllFunction calling L"_RefreshIEElevationPolicies@4" .. 002c:Call msi.MsiRecordSetStringW(00000003,00000000,0020ff00 L"e:\bt\248768\client\setup\customaction\coresetupca.cpp(162) +++++RefreshIEElevationPolicies starts+++++") ret=005b3b06 .. 002c:Call KERNEL32.LoadLibraryW(7ed544fc L"C:\windows\system32\ieframe.dll") ret=005adf14 002c:Ret KERNEL32.LoadLibraryW() retval=00000000 ret=005adf14 .. 002c:Call msi.MsiRecordSetStringW(00000003,00000000,0020ff00 L"e:\bt\248768\client\setup\customaction\coresetupca.cpp(162) +++++RefreshIEElevationPolicies failed with error code 0x8007007e+++++") ret=005b3b06 .. 002c:trace:msi:DllThread custom action (2c) returned 4317 --- snip ---
Looks like it needs some Internet Exploder libraries (ieframe.dll). After copying ieframe.dll and iertutil.dll (dependency) from XP one encounters this:
--- snip --- 0026:Ret PE DLL (proc=0x7e1e772c,module=0x7e1e0000 L"ieframe.dll",reason=PROCESS_ATTACH,res=(nil)) retval=1 0026:Ret KERNEL32.LoadLibraryW() retval=7e1e0000 ret=0164df14 0026:Call KERNEL32.GetProcAddress(7e1e0000,01643000 "IERefreshElevationPolicy") ret=0164df26 0026:Ret KERNEL32.GetProcAddress() retval=00000000 ret=0164df26 .. 0026:Call msi.MsiRecordSetStringW(00000003,00000000,006b0a90 L"e:\bt\248768\client\setup\customaction\inc\commonca.h(458) Failed to GetProcAddress for IERefreshElevationPolicy. hr = 0x8007007f") ret=01653b06 0026:Call msi.MsiRecordSetStringW(00000003,00000000,006aad60 L"e:\bt\248768\client\setup\customaction\coresetupca.cpp(162) +++++RefreshIEElevationPolicies failed with error code 0x8007007f+++++") ret=01653b06 --- snip ---
Seems this export is only present on IE7+. After copying both dlls from IE7 installation one encounters the following:
--- snip --- 003f:Ret KERNEL32.LoadLibraryW() retval=444c0000 ret=0164df14 003f:Call KERNEL32.GetProcAddress(444c0000,01643000 "IERefreshElevationPolicy") ret=0164df26 003f:Ret KERNEL32.GetProcAddress() retval=4460974e ret=0164df26 003f:Call KERNEL32.CreateMutexW(00000000,00000000,446abdb0 L"Local\LRIEElevationPolicyMutex") ret=446abd05 003f:Ret KERNEL32.CreateMutexW() retval=00000200 ret=446abd05 003f:Call KERNEL32.GetLastError() ret=446abd15 003f:Ret KERNEL32.GetLastError() retval=00000000 ret=446abd15 003f:Call advapi32.ConvertStringSidToSidW(43f62120,7ec2c4cc) ret=43f6248f 003f:fixme:advapi:ParseStringSidToSid String constant not supported: L"LW" 003f:Ret advapi32.ConvertStringSidToSidW() retval=00000000 ret=43f6248f 003f:Call KERNEL32.GetLastError() ret=43f68ea2 003f:Ret KERNEL32.GetLastError() retval=00000539 ret=43f68ea2 .. 003f:Call msi.MsiRecordSetStringW(00000003,00000000,006b0468 L"e:\bt\248768\client\setup\customaction\inc\commonca.h(453) Failed to call IERefreshElevationPolicy. hr = 0x80070539") ret=01653b06 .. 003c:trace:msi:DllThread custom action (3c) returned 4317 --- snip ---
I called IERefreshElevationPolicy() (http://msdn.microsoft.com/en-us/library/bb544929(VS.85).aspx) from small test app in Windows XP SP3 with patched IE7 and it fails the same way (that SID string is invalid). After a bit of googling I found this:
http://blogs.msdn.com/ie/archive/2007/06/13/new-api-smoothes-extension-devel...
http://www.profundis.co.uk/peteblog/PermaLink,guid,01eec8dc-9833-445f-99fd-e...
The comments are nice ;-)
--- quote from blog --- The code sample is so ugly my eyes started bleeding upon reading the first line .. Not sure if it's correct code, but it sure ain't pretty. --- quote from blog ---
Indeed the usual M$ brain damage (tm) ...
After searching again very carefully through the MSI log file on Windows (msi /l*v param) I came to conclusion that some CA's are *expected* to fail causing no harm.
So actually there are no IE7 dll's needed and the installation is fine that way (without any GUI). Look into "C:\Program Files\Windows Live\Messenger" if you don't believe it, the files are there.
Regards