Full Disclosure mailing list archives
Re: RE: Full-disclosure Digest, Vol 8, Issue 3
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Mon, 3 Oct 2005 15:43:06 -0700
Can you give me an example of a trojan, worm, or another program which has
added the last USB device installed in the >Windows Registry, yes, see below
or how about a program, worm, trojan -
some ASM code... ( edited ) any_key1 db "SYSTEM\CurrentControlSet\AnyKeyIWant", 0 another_key2 db "SYSTEM\CurrentControlSet\AnotherKeyIWant", 0 invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE, addr any_key1, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, addr hRegkey, NULL invoke wsprintf, addr senddata, addr some_value3, addr port invoke wsprintf, addr recvdata, addr another_value2, addr port invoke RegSetValueEx, hRegkey, addr senddata, 0, REG_SZ, addr recvdata, eax invoke RegCloseKey, hRegkey ( repeat for another_key2 ) easily done in .c too or c:\>regedt32 -s somebad.reg ( will silently install ANY key you want )
which caused something to be added to the last typed URL?
VNC ( or aformentioned key writes ) how do you think malware writes startup keys? I am confused by your statement... once a system has been compromised, ANYTHING can be written to the registry ( especialy is the attacker has SYSTEM privs ) my2bits, M.W _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Full-disclosure Digest, Vol 8, Issue 3 Cooper, Christopher (Oct 03)
- Re: RE: Full-disclosure Digest, Vol 8, Issue 3 Morning Wood (Oct 03)