As far as we can tell, there are some significant registry changes made by the program. 1. SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable is set to 0FFFFFF9Dh. It should be set back to zero. This is an undocumented registry setting allows for Windows File Protection to be fully disabled. A value of 0 enables file protection. 2. SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\Scripts is set at 217. We believe the original settings to be 204. 3. SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\msadc is set at 217. We believe the original settings to be 205. SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\c and SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\d do not appear at all and should most likely be deleted. We believe that these facilitate the virtual web root that is created by the rootkit. The natural problem with Trojans is . . . how do you know if this Trojan was used to deposit another? Regards, DB Douglas W. Barbin, CISSP, CFE Senior Consultant W: 703.535.8203 Ext 6547 E-Fax: 240.331.6030 M: 703.338.4003 625 N Washington Street, Suite 209 Alexandria, VA 22314 www.guardent.com Text Messaging: <mailto:7033384003at_private> PGP: 64CB ACA8 0474 B9AF 1B24 6756 FA80 A274 55A3 4122 ______________________________________________________ G U A R D E N T Enterprise Security and Privacy Programs -----Original Message----- From: dmuz [mailto:dmuzat_private] Sent: Monday, August 06, 2001 2:24 PM To: INCIDENTSat_private Subject: Method to Clean up IIS servers hit by CRv2 Hey folks, Isn't this fun? (har..) So what are people doing to clean out IIS servers hit by CRv2? So far I've been doing the following: 1. Patch the server. 2. Remove root.exe from the web directories. 3. Remove explorer.exe from c: and/or d: 4. reboot. My main question is do you need to mess with the registry keys that it alters? Are these reset on reboot or do you need to set them to some value? If so what values? Or delete them all together? Thanks, dmuz ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 13:14:41 PDT