Virus? - Disable .EXE, .COM, .LNK and group policy.



Brian Hoyt
07-09-2005, 11:48 PM
First I want to say I am not interested in removing the problem as I can
reimage machines, I am more interested in figuring out the cause and
prevention methods.

We have recently started seeing behavior on laptops that appears to be a
virus, I am however having great problem tracking it down. The symptoms
include but are limited to:
Disable in registry .EXE, .LNK and .COM
Disable most (if not all) Group Policy settings
Add a security warning on pressing CTRL-ALT-DEL on login screen that is
random characters.
Disable Shutdown from startup screen
Disalbe display of proper icons, I belive this is related to the .LNK but it
doesn't always happen.

Once this happens a user can login to a machine. Applications cannot be
directly started but they can be started via opening an existing document for
example. I have attempted to fix the registry to allow programs to run but I
haven't had any luck.

Some background on the machines. The machines are of varied platforms of
laptops and tablets. All are running custom images and the problem has
ocurred across multiple images. The machines have Symantec Corporate
Anti-Virus and Lavasoft Ad-Aware Plus running in realtime. They are all XP
SP2 with patches within a month or two of recent.

These are all student machines so I don't get a lot of detail of cause. In
almost all cases the machines either have AOL or AIM and sometimes it is the
last thing the students ran. Most describe a burst of network traffic and
then the problem ocurrs. In most cases they continue to work fine until they
reboot and that is when all the links and applications stop working. In a
few rare cases Ad-Aware catches the registry changes and I have been able to
see some of them happen, I have not been able to find the cause though.

Any help or pointers on this much appreciated. If there are any further
details I can offer let me know.

Malke
07-09-2005, 11:48 PM
Brian Hoyt wrote:

> First I want to say I am not interested in removing the problem as I
> can reimage machines, I am more interested in figuring out the cause
> and prevention methods.
>
> We have recently started seeing behavior on laptops that appears to be
> a
> virus, I am however having great problem tracking it down. The
> symptoms include but are limited to:
> Disable in registry .EXE, .LNK and .COM
> Disable most (if not all) Group Policy settings
> Add a security warning on pressing CTRL-ALT-DEL on login screen that
> is random characters.
> Disable Shutdown from startup screen
> Disalbe display of proper icons, I belive this is related to the .LNK
> but it doesn't always happen.
>
> Once this happens a user can login to a machine. Applications cannot
> be directly started but they can be started via opening an existing
> document for
> example. I have attempted to fix the registry to allow programs to
> run but I haven't had any luck.
>
> Some background on the machines. The machines are of varied platforms
> of
> laptops and tablets. All are running custom images and the problem
> has
> ocurred across multiple images. The machines have Symantec Corporate
> Anti-Virus and Lavasoft Ad-Aware Plus running in realtime. They are
> all XP SP2 with patches within a month or two of recent.
>
> These are all student machines so I don't get a lot of detail of
> cause. In almost all cases the machines either have AOL or AIM and
> sometimes it is the
> last thing the students ran. Most describe a burst of network traffic
> and
> then the problem ocurrs. In most cases they continue to work fine
> until they
> reboot and that is when all the links and applications stop working.
> In a few rare cases Ad-Aware catches the registry changes and I have
> been able to see some of them happen, I have not been able to find the
> cause though.
>
> Any help or pointers on this much appreciated. If there are any
> further details I can offer let me know.

Cause can be any number of malware programs. This is pretty common
behavior even with av. A lot of stuff comes in through the kids
clicking on links sent in AIM, as you suspected. As you well know, the
user has to practice Safe Hex as well as have current av/antispyware
protection, and these kids just won't do that. Spend some time looking
in the forums here:

http://aumha.net
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.bleepingcomputer.com

You'll get a good idea of how broad your question really is and why I
can't give you a specific answer.

Prevention? Lock down your workstations completely by using a domain and
Group Policy, Deep Freeze, etc. If this isn't possible - perhaps the
students own the laptops and you don't have the control over them you
would need - then you either have to have a Large Stick (financial
incentive) with the parents or just do what you've been doing - image
the boxen and charge the parents for your time. Keep the rest of your
school's networks isolated from the laptops.

I help the tech god at my kid's school and we have a laptop program for
7th & 8th graders. Because we are a private school, we can be pretty
firm about what happens if the kids install cr*p and get a virus. If
you are a public school, you probably don't have that ability. The
public elementary schools here basically do nothing for the kids'
computers - quite a few of my clients have children with laptops in the
public schools and that is how I know this.

If you want any more information about how we manage our laptop program,
do post back.

Good luck,

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Brian Hoyt
07-09-2005, 11:48 PM
"Malke" wrote:

> Cause can be any number of malware programs. This is pretty common
> behavior even with av. A lot of stuff comes in through the kids
> clicking on links sent in AIM, as you suspected. As you well know, the
> user has to practice Safe Hex as well as have current av/antispyware
> protection, and these kids just won't do that. Spend some time looking
> in the forums here:
>
> http://aumha.net
> http://www.wilderssecurity.com/
> http://forums.tomcoyote.org/
> http://www.bleepingcomputer.com
>
> You'll get a good idea of how broad your question really is and why I
> can't give you a specific answer.
>
> Prevention? Lock down your workstations completely by using a domain and
> Group Policy, Deep Freeze, etc. If this isn't possible - perhaps the
> students own the laptops and you don't have the control over them you
> would need - then you either have to have a Large Stick (financial
> incentive) with the parents or just do what you've been doing - image
> the boxen and charge the parents for your time. Keep the rest of your
> school's networks isolated from the laptops.
>
> I help the tech god at my kid's school and we have a laptop program for
> 7th & 8th graders. Because we are a private school, we can be pretty
> firm about what happens if the kids install cr*p and get a virus. If
> you are a public school, you probably don't have that ability. The
> public elementary schools here basically do nothing for the kids'
> computers - quite a few of my clients have children with laptops in the
> public schools and that is how I know this.
>
> If you want any more information about how we manage our laptop program,
> do post back.
>
> Good luck,
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User

We are a private school with all students 7-12 having laptops/tablets about
450. The students own the machines so I can't lock them down as much as one
would like. The AV/AS are kept up to date automatically. We also do lock
the machines down quite a bit via group policy. I understand prevention from
a global perspective, trying to nail down this oen issue though.

There is no need to punish the students as they aren't in most cases
purposely causing the problems. I am more in th business of preventing the
problems from
ocurring rather than applying punishment afterward. Imaging takes 20 min and
is more trouble for the students since they are without their laptop in class
than it is to the tech staff. Isolating the laptops from the rest of the
network really doesn't help anyone either, what is the point of having the
resources if the students can't get to them.

I was trying to figure exactly what this one was, since it is far more
damaging than any other we have had. It is affecting a very small group of
students some repeatedly though. I was hoping if I could narrow the cause I
could help the students to know what not to do. This is a fairly recent one
and isn't caught by anything I can find. It also seems to have a very
specific method of attack. However it doesn't make sense since it almost
totally disables the system, which wouldn't help in being able to track or
advertise to the user.

Thanks for the help and the pointers. I will see if I can find similar
symptoms on those sites.

Malke
07-09-2005, 11:48 PM
Brian Hoyt wrote:

See my comments inline:
>
> We are a private school with all students 7-12 having laptops/tablets
> about
> 450. The students own the machines so I can't lock them down as much
> as one
> would like. The AV/AS are kept up to date automatically. We also do
> lock
> the machines down quite a bit via group policy. I understand
> prevention from a global perspective, trying to nail down this oen
> issue though.

So we have fewer students at lower grades than you, but it's a similar
situation as far as private vs. public.
>
> There is no need to punish the students as they aren't in most cases
> purposely causing the problems.

See, we disagree here. Maybe your students are more responsible, being
older. Our students *are* at fault because they will download all kinds
of cr*p if allowed. There is the normal malware stuff from places like
Smiley Central, links they click on or apps they run from their friends
via instant messaging, and we've been having quite an issue with the
Xanga messageboard - it also installs spyware.

> I am more in th business of
> preventing the problems from
> ocurring rather than applying punishment afterward.

What we tell the parents and students is that these laptops are for
school. Some of the laptops are owned by the parents and others are
owned by the school and are rented to the parents. We explain the whole
issue of infestation to the users very clearly, and let them know what
the consequences of misusing the laptops will be. I'm not taking a
"we're right and you're wrong" position - I'm just telling you how we
set it up. The end result for us has been very good - a few kids have
come up with viruses but they have not infected the rest of the laptops
and for the most part, everything has been clean and works well. My
friend and I can compare our results with what happens in the local
public schools because we both have clients with kids there.

> Imaging takes 20
> min and is more trouble for the students since they are without their
> laptop in class
> than it is to the tech staff. Isolating the laptops from the rest of
> the network really doesn't help anyone either, what is the point of
> having the resources if the students can't get to them.

I'm in complete agreement with you about the imaging. We do it, too.
What I meant by isolating is that we have three networks, all of which
are kept isolated from each other - one for the school office, one for
the computer lab, and one for the classrooms/laptop program. Since
we're small, this is very manageable and allows us to tailor each
network's setup as we wish.
>
> I was trying to figure exactly what this one was, since it is far more
> damaging than any other we have had. It is affecting a very small
> group of students some repeatedly though. I was hoping if I could
>narrow the cause I could help the students to know what not to do.

Without seeing the machines and what is running, there just isn't any
way to tell what is going on. There was a big outbreak of an AIM virus
recently, but it really was a nasty one and you'd certainly have
noticed it. What might work to help you track down the cause is to get
one of the infected machines and run HijackThis on it. Then post your
HJT log at one of the forums below (not here, please). I particularly
like the AumHa forum, but all of the fora linked below are populated by
great experts who will be able to pinpoint things for you right away.
So here are the HJT links:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.spywareinfo.com/forums/

>
> Thanks for the help and the pointers. I will see if I can find
> similar symptoms on those sites.

You are most welcome. Good luck, and enjoy your summer (if applicable to
your part of the world).

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Richard Urban
07-09-2005, 11:48 PM
There is no need to punish the students as they aren't in most cases
purposely causing the problems. I am more in th business of preventing the
problems from ocurring rather than applying punishment afterward.

Brian,

You have to enforce good computing habits on the children - by any means.
Kids click on anything at any time, without thinking of the consequences.

One of the worst category of web sites around today are the sites where the
kids download their "ring tones" from. Many of them will infest a computer
by the act of downloading "free" tones. Your kids do have cell phones -
right! Nothing is FREE! If you can't modify the children's behavior you are
in for a rough ride!

Infected computers MUST be banned from connecting to the school network. If
they connect the infection WILL likely spread to the other computers on the
LAN at that time. How you do it is up to you.

Lots of luck in your constant job of reimaging the machines!

--
Regards,

Richard Urban

aka Crusty (-: Old B@stard :-)

If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!


"Brian Hoyt" <hoyty@hoyty.com> wrote in message
news:DC999CC9-797B-416A-AD34-6D1B9CA637B9@microsoft.com...
>
>
> "Malke" wrote:
>
>> Cause can be any number of malware programs. This is pretty common
>> behavior even with av. A lot of stuff comes in through the kids
>> clicking on links sent in AIM, as you suspected. As you well know, the
>> user has to practice Safe Hex as well as have current av/antispyware
>> protection, and these kids just won't do that. Spend some time looking
>> in the forums here:
>>
>> http://aumha.net
>> http://www.wilderssecurity.com/
>> http://forums.tomcoyote.org/
>> http://www.bleepingcomputer.com
>>
>> You'll get a good idea of how broad your question really is and why I
>> can't give you a specific answer.
>>
>> Prevention? Lock down your workstations completely by using a domain and
>> Group Policy, Deep Freeze, etc. If this isn't possible - perhaps the
>> students own the laptops and you don't have the control over them you
>> would need - then you either have to have a Large Stick (financial
>> incentive) with the parents or just do what you've been doing - image
>> the boxen and charge the parents for your time. Keep the rest of your
>> school's networks isolated from the laptops.
>>
>> I help the tech god at my kid's school and we have a laptop program for
>> 7th & 8th graders. Because we are a private school, we can be pretty
>> firm about what happens if the kids install cr*p and get a virus. If
>> you are a public school, you probably don't have that ability. The
>> public elementary schools here basically do nothing for the kids'
>> computers - quite a few of my clients have children with laptops in the
>> public schools and that is how I know this.
>>
>> If you want any more information about how we manage our laptop program,
>> do post back.
>>
>> Good luck,
>>
>> Malke
>> --
>> Elephant Boy Computers
>> www.elephantboycomputers.com
>> "Don't Panic!"
>> MS-MVP Windows - Shell/User
>
> We are a private school with all students 7-12 having laptops/tablets
> about
> 450. The students own the machines so I can't lock them down as much as
> one
> would like. The AV/AS are kept up to date automatically. We also do lock
> the machines down quite a bit via group policy. I understand prevention
> from
> a global perspective, trying to nail down this oen issue though.
>
> There is no need to punish the students as they aren't in most cases
> purposely causing the problems. I am more in th business of preventing
> the
> problems from
> ocurring rather than applying punishment afterward. Imaging takes 20 min
> and
> is more trouble for the students since they are without their laptop in
> class
> than it is to the tech staff. Isolating the laptops from the rest of the
> network really doesn't help anyone either, what is the point of having the
> resources if the students can't get to them.
>
> I was trying to figure exactly what this one was, since it is far more
> damaging than any other we have had. It is affecting a very small group
> of
> students some repeatedly though. I was hoping if I could narrow the cause
> I
> could help the students to know what not to do. This is a fairly recent
> one
> and isn't caught by anything I can find. It also seems to have a very
> specific method of attack. However it doesn't make sense since it almost
> totally disables the system, which wouldn't help in being able to track or
> advertise to the user.
>
> Thanks for the help and the pointers. I will see if I can find similar
> symptoms on those sites.

cquirke (MVP Windows shell/user)
07-09-2005, 11:48 PM
On Wed, 25 May 2005 08:30:05 -0700, "Brian Hoyt" wrote:

>I was trying to figure exactly what this one was, since it is far more
>damaging than any other we have had.

It sounds like a badly-written attempt at a "root kit", doesn't it?
Doing the right sort of root-kitty things, but being too buggy to
really get away with operating in the system depths it has burrowed
into. Reminds my of all the wobbly-graphic crash-o-matic "me-too"
shareware games that came out after Wolfenstein showed the way



>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -

Zvi Netiv
07-09-2005, 11:48 PM
"Brian Hoyt" <hoyty@hoyty.com> wrote:

> First I want to say I am not interested in removing the problem as I can
> reimage machines, I am more interested in figuring out the cause and
> prevention methods.

Figuring out the cause and preventing reinfection requires that you find out how
what stung these computers entered the system.

> We have recently started seeing behavior on laptops that appears to be a
> virus, I am however having great problem tracking it down. The symptoms
> include but are limited to:
> Disable in registry .EXE, .LNK and .COM

Run www.invircible.com/download/fix_exe.reg. It's a registry merge file that
fixes the "shell open" command association that are stolen by many malware. In
stubborn cases, you will have to run the merge file in safe mode *with command
prompt* to regain control on your utilities, that will let you find out how that
malware initializes. Which is what you are after.

> Disable most (if not all) Group Policy settings
> Add a security warning on pressing CTRL-ALT-DEL on login screen that is
> random characters.
> Disable Shutdown from startup screen
> Disalbe display of proper icons, I belive this is related to the .LNK but it
> doesn't always happen.

The apparent disabling of the LNK association is the byproduct of stealing the
shell-open command from COM/EXE. There is none for LNK.

> Once this happens a user can login to a machine. Applications cannot be
> directly started but they can be started via opening an existing document for
> example. I have attempted to fix the registry to allow programs to run but I
> haven't had any luck.

This is why I offered the REG version of the fix file. The executable version
is www.invircible.com/download/fixregex.com

> Some background on the machines. The machines are of varied platforms of
> laptops and tablets. All are running custom images and the problem has
> ocurred across multiple images. The machines have Symantec Corporate
> Anti-Virus and Lavasoft Ad-Aware Plus running in realtime. They are all XP
> SP2 with patches within a month or two of recent.

Something that isn't always understood well enough: Real-time AV and
anti-spyware cannot stop malware that is being installed across the network,
*even* if the malware is know to the protection SW, and the definitions file is
the latest available. The reason is inherent to how AV work.

Seems that whatever that is, it enters through weakly protected shares, like
admin$. The random characters displayed at the login screen could be the
password guessing routine at work.

> These are all student machines so I don't get a lot of detail of cause. In
> almost all cases the machines either have AOL or AIM and sometimes it is the
> last thing the students ran. Most describe a burst of network traffic and
> then the problem ocurrs. In most cases they continue to work fine until they
> reboot and that is when all the links and applications stop working. In a
> few rare cases Ad-Aware catches the registry changes and I have been able to
> see some of them happen, I have not been able to find the cause though.

Could you elaborate on the changes that Ad-Aware caught?

> Any help or pointers on this much appreciated. If there are any further
> details I can offer let me know.

The following page and white paper could be worth reading:

www.invircible.com/item/53 describes general methods to deal with malware at the
PC level, and http://www.invircible.com/papers/IV4Enterprise.pdf takes it
further to the level of centralized real-time anti-malware command and control.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL www.invircible.com www.ivi.co.il (Hebrew)
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities

cquirke (MVP Windows shell/user)
07-09-2005, 11:48 PM
On Wed, 25 May 2005 11:12:01 -0700, Malke wrote:
>Brian Hoyt wrote:

>> We are a private school with all students 7-12 having laptops/tablets
>> about 450. The students own the machines so I can't lock them
>> down as much as one would like.

>> There is no need to punish the students as they aren't in most cases
>> purposely causing the problems.

>See, we disagree here. Maybe your students are more responsible, being
>older. Our students *are* at fault because they will download all kinds
>of cr*p if allowed.

You can blame them for breaking policy, but not for getting malware'd,
as the relationship between these is Venn. Good system setup and
choosing apps that suck less will make it less Venn, but it will only
approach inclusion, i.e. where all malware infections are within the
set of those who break policy.

If you want to be a model of good cause and consequence, as is usually
an objective of educational institutions, then your objectives are:
- monitoring and enforcing policy
- penalties for policy breaches
- reducing malware infection
- reduced impact of cleanup

Malware works by exploiting the difference between what the user
wanted to do, and what actually happens. The more the system acts
ahead of user intent, the more malware infections will occur for which
the user cannot be blamed at all.

Only if a system displays full risk info in a form the user can
understand, and never acts beyond the displayed risk, can you talk
meaningfully about user responsibility. Then you can equate malware
infection with bad user behavior and proceed with punitive cleanup.

Current system design as it is, the latter scenario can only be
approached, not attained. So I still see punitive clean-up has
unfair; then again, much of real life is unfair, too.

>What I meant by isolating is that we have three networks, all of which
>are kept isolated from each other - one for the school office, one for
>the computer lab, and one for the classrooms/laptop program.

If you can enclose a network, you can cure it. If you cannot close a
network, you're only doing palliative de-bulking operations.

I'd hope that your staff and backbone networks are closed, which means
you need to air-gap these from the students, as well as the Internet.

A LAN that includes WiFi is not a fully enclosed network, unless you
bring a great deal of resources and expertise to bear on the problem,
and maintain the same level of hands-on management going forward.

>> I was trying to figure exactly what this one was, since it is far more
>> damaging than any other we have had. It is affecting a very small
>> group of students some repeatedly though. I was hoping if I could
>>narrow the cause I could help the students to know what not to do.

There are various scenarios here:
- persistance of infection (never was cleaned)
- self-re-infection (hidden malware stores; SR, email etc.)
- peer re-infection (e.g. from other infected PCs on LAN)
- external re-infection via a persistent entrance opening
- external re-infection via a persistent entrance wound
- actively re-asserted infection from an outside "watcher"
- deliberate re-infection from a malicious inside user

Assume your mugshot scanners cannot find the malware, either because
it's new, or it's an under-exposed custom hacking tool, or it's
legitware that is being maliciously deployed. What then?
- non-editorialized enumeration / scrutiny (HJT, ShellExView, etc.)
- check perimeter; settings, patches, fences you thought were up
- move things around to break assumptions held off-system
- reduce the size of the eye of the needle
- watch traffic

If you have F&PS bound to TCP/IP and admin shares exposing all HD
volumes from the root up, then there's scope to "reduce the size of
the eye of the needle" through which malware can pass :-)

On "entrance wounds", bear in mind that the evil malware may do, may
live on after it's died. Malware cleaners either ignore settings
changes made by the malware, or restore these to duhfaults. Both can
leave you with gaping entrance wounds.

For example, a client of mine had RBot.J (SDBot.J). Most write-ups
mention infection via hidden admin shares, "wweak passwords" etc. My
take: If all that stands between you and the Internet is a password,
and you have no intention of ever facilitating the kind of access the
password "protects" against, the system setup fundamentally sucks.

One write-up of SDBot family mentions it disables these admin shares,
even though it uses them to enter the system. So there's a risk that
a cleaner will re-enable these shares, to undo the malware-initiated
change. Sure enough, my usual protective killing of these admin
shares was missing on the client's PC, and that may explain why the
infection kept recurring on ISDN dial-up.

Hence "check settings, patches, fences you thought were up".

>Without seeing the machines and what is running, there just isn't any
>way to tell what is going on. There was a big outbreak of an AIM virus
>recently, but it really was a nasty one and you'd certainly have
>noticed it. What might work to help you track down the cause is to get
>one of the infected machines and run HijackThis on it. Then post your
>HJT log at one of the forums below (not here, please). I particularly
>like the AumHa forum, but all of the fora linked below are populated by
>great experts who will be able to pinpoint things for you right away.
>So here are the HJT links:

>http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
>Eshelman
>http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
>another tutorial
>http://aumha.net - forums
>http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
>forum
>http://www.wilderssecurity.com/
>http://forums.tomcoyote.org/
>http://www.spywareinfo.com/forums/

I have to ask: How inclusive is HJT, and how root-kittable is it?

I think we know the answer to the latter, but I'm wondering about the
former. I don't see anything like the detail that ShellExView
displays, so I consider that as an essential adjunct to HJT.



>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -

cquirke (MVP Windows shell/user)
07-09-2005, 11:48 PM
On Thu, 26 May 2005 18:24:08 +0300, Zvi Netiv
>"Brian Hoyt" <hoyty@hoyty.com> wrote:

>> First I want to say I am not interested in removing the problem as I can
>> reimage machines, I am more interested in figuring out the cause and
>> prevention methods.

>Figuring out the cause and preventing reinfection requires that you find out how
>what stung these computers entered the system.

Yep. A common myth is "I don't need to scan for active malware
because I just wipe and rebuild instead". Two problems:

1) Every general troubleshoot needs malware exclusion

Do you "just" wipe and rebuild whenever anything fails to work as
expected, in anything other than a clearly-defined way?

2) Rebuild just reproduces the original infectable state

The fact that your system was infected, indicates that your defences
failed. Blindly rebuilding the same system that failed is not a
winning strategy, especially of your system is now spotlighted by
external entities that may re-assert the infection.

The worst-case version of (2) is where that entity is human. They see
the PC vanish of radar, and come back clean, so they know they screwed
up. They know what they did, and look back on that to see what might
have tipped you off, and they don't do that next time. They are
learning how to own you more effectively. You are learning nothing.

>> We have recently started seeing behavior on laptops that appears to be a
>> virus, I am however having great problem tracking it down. The symptoms
>> include but are limited to:
>> Disable in registry .EXE, .LNK and .COM

>Run www.invircible.com/download/fix_exe.reg. It's a registry merge file that
>fixes the "shell open" command association that are stolen by many malware.

Something like this?

<paste>
<...to be pasted when found...>
</paste>

>stubborn cases, you will have to run the merge file in safe mode *with command
>prompt* to regain control on your utilities, that will let you find out how that
>malware initializes. Which is what you are after.

Stubbon cases may need more than Safe Mode, because where malware is
coincerned, Safe Mode isn't. MS offer blow-all for that, if you are
on NTFS, but fortunately others do, e.g. Bart's PE.

>The apparent disabling of the LNK association is the byproduct of stealing the
>shell-open command from COM/EXE. There is none for LNK.

..LNK does have entries in the registry that are conjoined to your HKCR
view, but they don't take as simple a form as .exe -> exefile

..LNK are not as exploitable as .PIF, as the OS is cluefull enough not
to run raw code in what is supposed to be a .LNK, as it does for .PIF;
..PIF is just another indication as to why generic "open" is a menace.

>This is why I offered the REG version of the fix file. The executable version
>is www.invircible.com/download/fixregex.com

You may have to do some more dancing, such as renaming REGEDIT.EXE to
something else, if .EXE is mis-associated and/or the name is blocked.
If Regedit.exe is blocked at a deeper level, you may have to operate
from outside the infected OS altogether. It just depends on how
serious the malware is about retaining ownership of your system, and
how skilled and dilligent the malware coders are.

Now that malware coders are salaried by commercial malware vendors,
who are in turn bankrolled by vulture capital, you can expect more
proficient malware. Organised crime has similar budgets, but less
need to pose as legitimate business; malicious behavior may be harder.

>Something that isn't always understood well enough: Real-time AV and
>anti-spyware cannot stop malware that is being installed across the network,
>*even* if the malware is know to the protection SW, and the definitions file is
>the latest available. The reason is inherent to how AV work.

More on that, please?

>Seems that whatever that is, it enters through weakly protected shares, like
>admin$. The random characters displayed at the login screen could be the
>password guessing routine at work.

If you don't need hidden admin shares, kill them. Writeable access to
the startup axis is insanely unsafe hex practice, and "hidden" shares
with known names is another sick joke.

>The following page and white paper could be worth reading:

>www.invircible.com/item/53 describes general methods to deal with malware

Nice. It's always hard to know how complete such documents should be,
without feeding the kiddies, and as forseable exploits get discovered
and used ITW, what is "complete" in terms of "in use In The Wild" is a
moving target too. Prudence may also be why this paper doesn't
elaborate on which integration methods remain active in "Safe" mode.

It shakes down to this:
- intra-file infection or code replacement
- explicit (by design) integration
- implicit (by exploit) integration

To regain ownership of a system, you need to:

1) Formally scan for altered or replaced code files
2) Enumerate and manage all integrations
3) Scan for internal surface exploiters

Each of these requires a minimum level of formality:

1) No code off the infected system may be run, i.e. non-HD OS
2) No explicit integrations may be run, i.e. a true Safe Mode
3) No exploitable internal surfaces must be exposed

A mOS (maintenance OS) should be able to meet all three criteria,
though many canidate mOS may fail on (3). Simply not running HD code
during boot, and not processing the HD's integration settings, is no
longer enough to be properly formal.

A true "Safe Mode" should be able to meet (2) and (3). The advice to
use Safe Mode Command Only is an attempt to address (3), but Cmd.exe
offers its own exploit opportunities (always stipulate path and .ext)

Currently, XP on NTFS is like a car with no service tools and the
engine compartment welded shut. Runs great, until it goes wronng and
you find yourself locked inside a blazing wreck.

MS offers no mOS for (1), and no properly Safe Mode for (2) or (3).
There are no tools that comprehensively enumerate and manage all
explicit integration points. So we are left to flail around with a
Safe mode that is not safe, and 3rd-party tools such as Bart's,
HiJackThis and ShellExView to help the OS wipe its own butt.

Let's hope LH is continent and toilet-trained. Not holding my breath.



>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -

cquirke (MVP Windows shell/user)
07-09-2005, 11:48 PM
On Thu, 26 May 2005 18:24:08 +0300, Zvi Netiv
>"Brian Hoyt" <hoyty@hoyty.com> wrote:

>Run www.invircible.com/download/fix_exe.reg. It's a registry merge file that
>fixes the "shell open" command association that are stolen by many malware.

Something like this?

<paste>
REGEDIT4

[HKEY_CLASSES_ROOT\.bat]
@="batfile"

[HKEY_CLASSES_ROOT\.com]
@="comfile"

[HKEY_CLASSES_ROOT\.exe]
"Content Type"="application/x-msdownload"
@="exefile"

[HKEY_CLASSES_ROOT\batfile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

;; > Set up your own private executable "fire escape" here,
;; replacing "xyz" with your desired extension

; [HKEY_CLASSES_ROOT\.xyz]
; "Content Type"="application/x-msdownload"
; @="privateexec"


; [HKEY_CLASSES_ROOT\privateexec\shell\open]
; @=""
; "EditFlags"=hex:00,00,00,00

; [HKEY_CLASSES_ROOT\privateexec\shell\open\command]
; @="\"%1\" %*"

;; <


</paste>

>stubborn cases, you will have to run the merge file in safe mode *with command
>prompt* to regain control on your utilities, that will let you find out how that
>malware initializes. Which is what you are after.

You may have to do some more dancing, such as renaming REGEDIT.EXE to
something else, if .EXE is mis-associated and/or the name is blocked.
If Regedit.exe is blocked at a deeper level, you may have to operate
from outside the infected OS altogether.

Creating a private executable extension is one tactic to bypass HKRC
attacks, in that you can run a renamed REdit.xyz file in such cases.

You can combine these things...
- redirected standard .ext
- renamed engine executables
- private .ext
....to "privatize" risky functionalities, in such cases. Beware of
subsystem updates, patches, and SFP, as these can undermine your
efforts by re-exposing the dangerous functionality.

For example, in Win98SE and older, this is easy:
- .vbs etc. -> textfile -> Notepad
- Ren WScript.exe WSPriv.exe from DOS mode
- Ren CScript.exe CSPriv.exe from DOS mode
- .wyx -> privatescript -> WSPriv.exe
- .cyx -> privatescript -> CSPriv.exe

Now you can use .wyz and .cyz files as stand-alone scripts, but
dropped stand-alone script files will come up in Notepad for scrutiny.

You can try the same tactic to privatize .REG and Regedit, but as
there are other ways to the registry, don't expect to be bulletproof.



>---------- ----- ---- --- -- - - - -
Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -


Virus? - Disable .EXE, .COM, .LNK and group policy.