This is a interesting discovery. It might not be new to some of you, but I
think it's worth mentioning.
Base on my analysis on the recent worm/Trojan (IRC_SCREWZ), I have noticed
that this worm/Trojan put a filename "EXPLORER.EXE" with no path information
in a registry value under the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run." As we
all know, when we try to run a program without any path information, the
system will try to use the %path% environment variable to locate the file
specified. Therefore, when the system starts, it will look for the file in
"%windir%\system32" folder first, and "%windir%" second based on the default
Windows path. Since the legitimate Windows Explorer is located at
"%windir%," the worm/Trojan file at "%windir%/system32" will get executed
when system startup instead of the legitimate EXPLORER.EXE.
The default Windows path on Windows 2000 and XP is:
PATH=E:\WINNT\system32;E:\WINNT;E:\WINNT\System32\Wbem
Actual registry value of IRC_SCREWZ worm/Trojan:
"COM+Services" = "explorer.exe"
BTW, on March 8, 2003, I did a experiment to see how fast a Windows 2000
Professional system (honeypot), having the "administrator" userID with no
password,can get infected with IRC type of worms/Trojans on the Internet. I
put the honeypot on a cable modem for 5 hours, and I was infected with 2 IRC
worm/Trojans within this time. They are identified as "IRC_SCREWZ" and
"W32/Deloder.worm" by the Virus vendors. If you are interested in the
result of this experiment, the report will be available on the KLC
Consulting Website on March 11, 2003 at
http://www.klcconsulting.net/irc_experiment1.htm
Cheers,
/Kyle
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai (at) klcconsulting (dot) net [email concealed]
www.klcconsulting.net
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
think it's worth mentioning.
Base on my analysis on the recent worm/Trojan (IRC_SCREWZ), I have noticed
that this worm/Trojan put a filename "EXPLORER.EXE" with no path information
in a registry value under the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run." As we
all know, when we try to run a program without any path information, the
system will try to use the %path% environment variable to locate the file
specified. Therefore, when the system starts, it will look for the file in
"%windir%\system32" folder first, and "%windir%" second based on the default
Windows path. Since the legitimate Windows Explorer is located at
"%windir%," the worm/Trojan file at "%windir%/system32" will get executed
when system startup instead of the legitimate EXPLORER.EXE.
The default Windows path on Windows 2000 and XP is:
PATH=E:\WINNT\system32;E:\WINNT;E:\WINNT\System32\Wbem
Actual registry value of IRC_SCREWZ worm/Trojan:
"COM+Services" = "explorer.exe"
Reference:
mIRC worm/Trojan analysis: www.klcconsulting.net/mirc_virus_analysis.htm
IRC_SCREWZ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FLO
OD.B
I.DR&VSect=T
BTW, on March 8, 2003, I did a experiment to see how fast a Windows 2000
Professional system (honeypot), having the "administrator" userID with no
password,can get infected with IRC type of worms/Trojans on the Internet. I
put the honeypot on a cable modem for 5 hours, and I was infected with 2 IRC
worm/Trojans within this time. They are identified as "IRC_SCREWZ" and
"W32/Deloder.worm" by the Virus vendors. If you are interested in the
result of this experiment, the report will be available on the KLC
Consulting Website on March 11, 2003 at
http://www.klcconsulting.net/irc_experiment1.htm
Cheers,
/Kyle
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai (at) klcconsulting (dot) net [email concealed]
www.klcconsulting.net
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003
------------------------------------------------------------------------
----
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
[ reply ]