Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com - Wrap up

From: Edwards, David (JTS) (Edwards.Daveat_private)
Date: Wed May 08 2002 - 20:15:25 PDT

Next message: Jensenne Roculan: "Dead Thread - Publishing Nimda Logs"

Previous message: Brian McWilliams: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

This is mainly aimed at closure for the list archives.  Needless to say, 
we learnt a lot during this incident.  

The incident was caused by an admin user following a link to an 
xbox emulator http://www.angelfire.com/empire/oftheants/xbox1.html
which just refreshes to the SFX executable 
http://www.angelfire.com/empire/oftheants/EMU_xbox.exe.


Investigation discovered:

Following this link downloads the file "EMU_xbox.exe" in the normal 
way via the "open or save" dialog. If the user choses "open", another 
dialog opens with the text: "Setup.exe is not a valid Win32 application", 
but by this time the following has occurred:

The files "NetBUIE.exe" and "NBconfig.exe" are copied to 
"c:\windows\system"
The registry key "HKLM/SOFTWARE/Microsoft/Windows/Run/NetBUIE" 
is created with the value "C:\windows\system\NetBUIE.exe"

If the user has admin rights, the key 
"HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run" is 
also created with the same value.

This last key is where the main problem lies in the Win2k terminal
server environment, as each user runs a new instance of netbuie.exe
at logon.

Thanks to Matt Scarborough, Axel Pettinger and all the others with
helpful comments.  This list is a very useful resource!

Many people have asked for a copy of the malware.  The link above
will get them a copy if they need it.


Lessons learnt? The obvious one is of course that admin accounts 
should only be used for admin tasks, but we also found our incident
response procedures were less than adequate.

Finally, this malware has been around for about a month.  My 
initial searches failed to find any trace of it:
a) because the search engines "helpfully" suggested a misspelling of 
netbuie, and 
b) because I didn't check newsgroups..  Bit of a shock really, usenet
is still useful :-)

ciao
dave
---
Dave Edwards 
Justice Technology Services
Ph: +61 8 82265426 || 0408 808355 
mailto: edwards.daveat_private
Snail : Justice Technology Division 
        GPO Box 2048, Adelaide 5001
---



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jensenne Roculan: "Dead Thread - Publishing Nimda Logs"
Previous message: Brian McWilliams: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 09 2002 - 09:22:20 PDT