-----BEGIN PGP SIGNED MESSAGE-----

Here are a couple of mitigators to take into consideration based on
further analysis conducted here at the NTBugtraq Retreat today.

Trojan's actions, modifying registry entries, will only work when
their explorer.exe is invoked by a member of the Administrators group
or SYSTEM.

This does not appear to be done by the worm itself (which is running
in SYSTEM context), but relies upon an interactive logon by a member
of the Administrators group. With the worm making copies of CMD.EXE
into web accessible and executable directories, it would be possible
to invoke the Trojan explorer.exe but that would happen in the
context of IUSR, which has insufficient permissions to make the
registry changes.

Further, if we assume the Trojan's intended infection vector was a
logon by an Administrator, only Windows 2000 machines which have not
applied SP2 or MS00-052 will run the Trojan program.

MS00-052 addressed the issue wherein a program called explorer.exe
could be placed in the root of the boot drive and be called by the OS
upon logon (instead of calling the one in system32).

http://www.microsoft.com/technet/security/bulletin/MS00-052.asp

So, if you avoid doing a logon to the machine as a member of the
Administrators group, then you can login as a normal user, or connect
to the admin share, and rename the dropped explorer.exe to anything
else. This will prevent it from being run upon logon. You can then
try to delete it. If that works, then it means the Trojan hasn't been
run, otherwise you won't be able to delete it.

If the Trojan has been run, then you should consider the box totally
compromised and reformat after removing data (not executables).
There's no real way to be sure of anything on a box upon which the
Trojan has run and succeeded in its effect (added the two virtual web
directories and disabled System File Checking).

If it hasn't been run, the system should be in good shape. Check the
registry key for SFCDisable and remove the ROOT.EXE's from the two
directories (mentioned in the previous message).

Credits:

Tony Weasler, President of The Attron Corporation, Marc Weasler of
Homeboyz Interactive, Bill Sobel of Symantec, AnnMarie Clattenburg of
Hines Pool and Spa, and David Ross U.S. Naval Fleet Information
Warfare Center

Cheers,
Russ - Surgeon General of TruSecure Corporation - NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO22qVRBh2Kw/l7p5AQGw/QP9GbwI925li9nlcuSeXIWIfUkUBvflA7ju
Hi5x5VNdbA02izbhWJGm30Jnwarf3sCcYrO6PgJVJYbbg4ZoOsowSW8i5lJ6bwwg
MgE7i07Rm7PbkvrzcMVG1u9eE7vppHx79MA8/vs1MuN0xSOIlyAIx2CMo7UUJXVx
afdGvhoq2vE=
=e/BS
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro
============================================================================
TREND MICRO REAL-TIME VIRUS ALERTS
If you would like to know about a virus outbreak before CNN and ZDNet get
Trend Micro Virus Info Feed FREE. Simply copy and paste a small piece of
code to give your visitors a real-time top 10 list and the latest virus
advisories. Setup takes just 10 minutes and requires no server-side code on
your Web site. All content is updated automatically from Trend Micro's Web
site.
http://www.antivirus.com/banners/tracking.asp?si=8&bi=237&ul=/syndication/
vinfo/
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]