0wning an Acer notebook
January 8th, 2007 | by Futt | 325 views
Tan Chew Keong over at vuln.sg has some interesting news for owners of Acer notebooks. Apparently they all come with a rootkit preinstalled, in the form of an ActiveX control called “LunchApp.ocx” that is registered and marked “safe for scripting” (that is, any web page embedding the code to launch this app may do so without even presenting a warning to the user).
The ActiveX control, last modified sometime in 1998, is distributed as a part of the operating system install on all Acer notebooks. It is designed to accept a drive letter, executable file, and command line parameters and execute those automatically. Read on for a quick guide to getting rid of it, and a test to see if you have the control active.
On this page, I have embedded an “object” tag that will launch the LunchApp.ocx control if you have it installed on your system. Don’t worry, that is all it will do, but the potential for malice is of course unlimited with this level of access to your local computer. This object will only work on affected Acer notebooks, and only if you use MS Internet Explorer. If you are infected, the Windows Calculator should start when this page loads.
If this trick works on your Acer laptop, you should immediately seek to mitigate the problem. The quickest way to do this, is to simply manually unregister the LunchApp.ocx ActiveX control. You can do this by clicking Start -> Run and enter the following into the dialog box that appears:
regsvr32 -u lunchapp.ocx
This command will unregister the ActiveX control, effectively shutting it down. If you wish, you can now safely delete the file from your system, but unregistering it is enough to ensure that it can no longer be executed. Next, you should make one angry phone call to Acer for screwing you over like that…