Re: netbuie.exe, and - Wrap up

From: Edwards, David (JTS) (Edwards.Daveat_private)
Date: Wed May 08 2002 - 20:15:25 PDT

  • Next message: Jensenne Roculan: "Dead Thread - Publishing Nimda Logs"

    This is mainly aimed at closure for the list archives.  Needless to say, 
    we learnt a lot during this incident.  
    The incident was caused by an admin user following a link to an 
    xbox emulator
    which just refreshes to the SFX executable
    Investigation discovered:
    Following this link downloads the file "EMU_xbox.exe" in the normal 
    way via the "open or save" dialog. If the user choses "open", another 
    dialog opens with the text: "Setup.exe is not a valid Win32 application", 
    but by this time the following has occurred:
    The files "NetBUIE.exe" and "NBconfig.exe" are copied to 
    The registry key "HKLM/SOFTWARE/Microsoft/Windows/Run/NetBUIE" 
    is created with the value "C:\windows\system\NetBUIE.exe"
    If the user has admin rights, the key 
    "HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run" is 
    also created with the same value.
    This last key is where the main problem lies in the Win2k terminal
    server environment, as each user runs a new instance of netbuie.exe
    at logon.
    Thanks to Matt Scarborough, Axel Pettinger and all the others with
    helpful comments.  This list is a very useful resource!
    Many people have asked for a copy of the malware.  The link above
    will get them a copy if they need it.
    Lessons learnt? The obvious one is of course that admin accounts 
    should only be used for admin tasks, but we also found our incident
    response procedures were less than adequate.
    Finally, this malware has been around for about a month.  My 
    initial searches failed to find any trace of it:
    a) because the search engines "helpfully" suggested a misspelling of 
    netbuie, and 
    b) because I didn't check newsgroups..  Bit of a shock really, usenet
    is still useful :-)
    Dave Edwards 
    Justice Technology Services
    Ph: +61 8 82265426 || 0408 808355 
    mailto: edwards.daveat_private
    Snail : Justice Technology Division 
            GPO Box 2048, Adelaide 5001
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu May 09 2002 - 09:22:20 PDT