Re: RE: Full-disclosure Digest, Vol 8, Issue 3

["Morning Wood" <se_cur_ity () hotmail com>]

> Can you give me an example of a trojan, worm, or another program which has
added the last USB device installed in the >Windows Registry,
yes, see below

> or how about a program, worm, trojan -

some ASM code... ( edited )
 any_key1     db "SYSTEM\CurrentControlSet\AnyKeyIWant", 0
  another_key2     db "SYSTEM\CurrentControlSet\AnotherKeyIWant", 0
  invoke RegCreateKeyEx, HKEY_LOCAL_MACHINE, addr any_key1, 0, NULL,
REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, addr hRegkey, NULL
  invoke wsprintf, addr senddata, addr some_value3, addr port
  invoke wsprintf, addr recvdata, addr another_value2, addr port
  invoke RegSetValueEx, hRegkey, addr senddata, 0, REG_SZ, addr recvdata,
eax
  invoke RegCloseKey, hRegkey
( repeat for another_key2 )

easily done in .c too

or
c:\>regedt32 -s somebad.reg
( will silently install ANY key you want )


> which caused something to be added to the last typed URL?
VNC ( or aformentioned key writes )

how do you think malware writes startup keys? I am confused by your
statement...
once a system has been compromised, ANYTHING can be written to the registry
( especialy is the attacker has SYSTEM privs )



my2bits,
M.W


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/