RE: Method to Clean up IIS servers hit by CRv2

From: Doug.Barbinat_private
Date: Mon Aug 06 2001 - 11:57:29 PDT

Next message: Homer Wilson Smith: "Re: disinfection tool"

Previous message: Ken Pfeil: "RE: disinfection tool"
Maybe in reply to: dmuz: "Method to Clean up IIS servers hit by CRv2"
Next in thread: Walling, Ken: "RE: Method to Clean up IIS servers hit by CRv2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As far as we can tell, there are some significant registry changes made by
the program. 

1.  SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable is set
to 0FFFFFF9Dh.  It should be set back to zero.  This is an undocumented
registry setting allows for Windows File Protection to be fully disabled.  A
value of 0 enables file protection.

2.  SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\Scripts
is set at 217.  We believe the original settings to be 204.

3.  SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\msadc is
set at 217.  We believe the original settings to be 205.

SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\c and
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\d do not
appear at all and should most likely be deleted.  We believe that these
facilitate the virtual web root that is created by the rootkit.  

The natural problem with Trojans is . . . how do you know if this Trojan was
used to deposit another?    

Regards,
DB

Douglas  W. Barbin, CISSP, CFE
  Senior Consultant
  W: 703.535.8203 Ext 6547 E-Fax: 240.331.6030 M: 703.338.4003
  625 N Washington Street, Suite 209
  Alexandria, VA 22314  www.guardent.com
  Text Messaging: <mailto:7033384003at_private> 
  PGP:  64CB ACA8 0474 B9AF 1B24  6756 FA80 A274 55A3 4122
______________________________________________________
G U A R D E N T  
  Enterprise Security and Privacy Programs



-----Original Message-----
From: dmuz [mailto:dmuzat_private]
Sent: Monday, August 06, 2001 2:24 PM
To: INCIDENTSat_private
Subject: Method to Clean up IIS servers hit by CRv2


Hey folks,  Isn't this fun? (har..)

So what are people doing to clean out IIS servers hit by CRv2?

So far I've been doing the following:

1. Patch the server.

2. Remove root.exe from the web directories.

3. Remove explorer.exe from c: and/or d:

4. reboot.

My main question is do you need to mess with the registry keys that it
alters? Are these reset on reboot or do you need to set them to some
value? If so what values? Or delete them all together?

Thanks,
dmuz



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Homer Wilson Smith: "Re: disinfection tool"
Previous message: Ken Pfeil: "RE: disinfection tool"
Maybe in reply to: dmuz: "Method to Clean up IIS servers hit by CRv2"
Next in thread: Walling, Ken: "RE: Method to Clean up IIS servers hit by CRv2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 13:14:41 PDT