worm/Trojans are taking advantage of default path of Windows

From: kyleat_private
Date: Mon Mar 10 2003 - 19:35:10 PST

Next message: Boyko, Steve: "CANADA.EXE program"

Previous message: Loki: "Snort Signatures for LSD-PL.NET Exploit"
In reply to: Bennett Todd: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: Jeff Kell: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a interesting discovery.  It might not be new to some of you, but I
think it's worth mentioning.

Base on my analysis on the recent worm/Trojan (IRC_SCREWZ), I have noticed
that this worm/Trojan put a filename "EXPLORER.EXE" with no path information
in a registry value under the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run."  As we
all know, when we try to run a program without any path information, the
system will try to use the %path% environment variable to locate the file
specified.  Therefore, when the system starts, it will look for the file in
"%windir%\system32" folder first, and "%windir%" second based on the default
Windows path.  Since the legitimate Windows Explorer is located at
"%windir%," the worm/Trojan file at "%windir%/system32" will get executed
when system startup instead of the legitimate EXPLORER.EXE.

The default Windows path on Windows 2000 and XP is:
PATH=E:\WINNT\system32;E:\WINNT;E:\WINNT\System32\Wbem

Actual registry value of IRC_SCREWZ worm/Trojan:
"COM+Services" = "explorer.exe"

Reference:
mIRC worm/Trojan analysis: www.klcconsulting.net/mirc_virus_analysis.htm
IRC_SCREWZ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FLOOD.B
I.DR&VSect=T

BTW, on March 8, 2003, I did a experiment to see how fast a Windows 2000
Professional system (honeypot), having the "administrator" userID with no
password,can get infected with IRC type of worms/Trojans on the Internet. I
put the honeypot on a cable modem for 5 hours, and I was infected with 2 IRC
worm/Trojans within this time.  They are identified as "IRC_SCREWZ" and
"W32/Deloder.worm" by the Virus vendors.  If you are interested in the
result of this experiment, the report will be available on  the KLC
Consulting Website on March 11, 2003 at
http://www.klcconsulting.net/irc_experiment1.htm

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klaiat_private
www.klcconsulting.net

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Boyko, Steve: "CANADA.EXE program"
Previous message: Loki: "Snort Signatures for LSD-PL.NET Exploit"
In reply to: Bennett Todd: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: Jeff Kell: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 09:02:58 PST