One additional registry location you might want to check is this => HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components Used by Subseven remote access Trojan Regards, Patrick Nolan Virus Researcher - Fortinet pnolanat_private ----- Original Message ----- From: "aladin168" <aladin168at_private> To: <incidentsat_private> Sent: Thursday, April 24, 2003 7:22 AM Subject: Re: Trojan found... | In-Reply-To: <20030417230836.23848.qmailat_private> | | By Kyle Lai, CISSP, CISA, KLC Consulting, Inc., www.klcconsulting.net | | Where are Trojans hiding in your systems? | | In any cases of virus/worm/Trojan infections, we should not automatically | assume that HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry | key is the only place Trojans try to tamper, otherwise we would be in a | false sense of security TRAP. | | There are many other places on a Windows system that Trojans can add | scripts and shortcuts to startup Trojan processes: | | · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] | · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] | · | [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] | · | [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn | ce] | · [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] | · [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] | | Note: For the following registry keys, the key value should be exactly "% | 1 %*" . Any programs that are added to the key value will get executed | every time a binary file (.exe, .com) is executed, i.e."Trojan.exe %1 %*". | | · [HKEY_CLASSES_ROOT\exefile\shell\open\command] | · [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] | | Also, check: | · Startup folder: to go to this folder, click on Start->Programs- | >Startup, and right click on Startup and select "Open" from the menu. | Check every file in this folder and make sure you know what they are. | These files will startup automatically every time you login to your | systems. | | · Windows Scheduler - check if any programs are scheduled to startup at | any specific time. Some Trojans use scheduler as a mean for program | execution. | | o For Windows NT, 2000 and XP systems, use AT command to verify. Go to | command prompt and type "at" and if there is any scheduled tasks, it will | display "Status, ID, Day of execution, Time of execution, and Command line | to be executed" | | o For Windows 9x/ME systems, use Windows Explorer and go to Task | Scheduler, which is under My Computer. | | · Win.ini (load=Trojan.exe or run=Trojan.exe) | · system.ini (Shell=Explorer.exe trojan.exe) | · autoexec.bat - look for added Trojan files, may be in the following file | extensions: .exe, .scr, .pif, .com, .bat | · config.sys - look for added Trojan files | · Any suspicious or new batch files (.BAT), which might call the actual | Trojan. | | Also, watch out for social engineering... Social engineering? Yes. | Don't be fooled by processes or programs with similar and/or exactly the | same filename as the legitimate Windows system programs. Many known | Trojans have included programs with exact same name as Windows system | programs, but put them into different folders. Many people lower their | guard when they see familiar Windows system programs, and some Trojans did | successfully create deceptions and exploit this human vulnerability. If | you just use the Windows Task Manager to check processes, you might be | fooled if you don't examine them carefully. You might want to use some | other tools for detailed examination i.e. pstools from | www.systeminternals.com. | | Here are some sample filename of files included in recent Trojans: | | · Explorer.exe - a legitimate program exists in \Windows or \Winnt folder, | NOT \Windows\system32 or \Winnt\system32, or anywhere else | | · Rundll32.exe - a legitimate program exists in \Windows\system32 or | \Winnt\system32 folder, not anywhere else | | · taskmngr.exe - the legitimate program is called "taskmgr.exe", not | taskmngr.exe" | | Let's be vigilant about the files and registries and different places that | Trojan can touch. | | Reference: | · Ocxdll.exe/mIRC Virus Analysis by KLC Consulting: | http://www.klcconsulting.net/mirc_virus_analysis.htm | | · Deloder worm / IRC worm/Trojan Analysis by KLC Consulting: | http://www.klcconsulting.net/deloder_virus_analysis.htm | | · The Complete Windows Trojans Paper By Dancho Danchev: | http://www.frame4.com/ | | · "Where are Trojans hiding?" by KLC Consulting: | http://www.klcconsulting.net/trojan/trojan_identification.htm | | Kyle Lai, CISSP, CISA | KLC Consulting, Inc. | klaiat_private | www.klcconsulting.net | | >Les, | > | >> I say it has never executed because contained | >> in the rar file is a .reg file that adds the trojan | >> to the | >> HKLM\Software\Microsoft\Windows\CurrentVersion\Run | >> key and that key is empty. | > | >What about the running processes on the system? If | >the key is empty, it may simply have not been able to | >write to the key. Keep in mind that the IIS web | >server runs as a guest on the system. | > | >> The folder that that registry entry points to does | >> not exist either. Also contained in the rar file is | >> a txt file that lists users and which groups to add | >> them to, none of these users exist on the system. | > | >Again...permissions. | > | >> If anyone has had experience with this trojan of | >> knows where I can find info on it I would be | >> greatful. | > | >Sounds like you have everything available to write an | >analysis. Since it looks as if no one has written one | >yet... ;-) | > | >Harlan | > | >__________________________________________________ | >Do you Yahoo!? | >The New Yahoo! Search - Faster. Easier. Bingo | >http://search.yahoo.com | > | >-------------------------------------------------------------------------- | -- | >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the | >world's premier event for IT and network security experts. The two-day | >Training features 6 hand-on courses on May 12-13 taught by | professionals. | >The two-day Briefings on May 14-15 features 24 top speakers with no | vendor | >sales pitches. Deadline for the best rates is April 25. Register today | to | >ensure your place. http://www.securityfocus.com/BlackHat-incidents | >-------------------------------------------------------------------------- | -- | > | > | | -------------------------------------------------------------------------- -- | Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the | world's premier event for IT and network security experts. The two-day | Training features 6 hand-on courses on May 12-13 taught by professionals. | The two-day Briefings on May 14-15 features 24 top speakers with no vendor | sales pitches. Deadline for the best rates is April 25. Register today to | ensure your place. http://www.securityfocus.com/BlackHat-incidents | -------------------------------------------------------------------------- -- | | ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 25 2003 - 11:40:27 PDT