Re: Trojan found...

["Patrick Nolan" <p.nolan () attbi com>]

One additional registry location you might want to check is this =>

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components


Used by Subseven remote access Trojan

Regards,

Patrick Nolan
Virus Researcher - Fortinet
pnolan () fortinet com


----- Original Message ----- 
From: "aladin168" <aladin168 () hotmail com>
To: <incidents () securityfocus com>
Sent: Thursday, April 24, 2003 7:22 AM
Subject: Re: Trojan found...


| In-Reply-To: <20030417230836.23848.qmail () web41603 mail yahoo com>
|
| By Kyle Lai, CISSP, CISA, KLC Consulting, Inc., www.klcconsulting.net
|
| Where are Trojans hiding in your systems?
|
| In any cases of virus/worm/Trojan infections, we should not automatically
| assume that HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry
| key is the only place Trojans try to tamper, otherwise we would be in a
| false sense of security TRAP.
|
| There are many other places on a Windows system that Trojans can add
| scripts and shortcuts to startup Trojan processes:
|
| · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
| · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
| ·
| [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
| ·
|
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn
| ce]
| · [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
| · [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
|
| Note:  For the following registry keys, the key value should be exactly "%
| 1 %*" .  Any programs that are added to the key value will get executed
| every time a binary file (.exe, .com) is executed, i.e."Trojan.exe %1 %*".
|
| · [HKEY_CLASSES_ROOT\exefile\shell\open\command]
| · [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
|
| Also, check:
| · Startup folder:  to go to this folder, click on Start->Programs-
| >Startup, and right click on Startup and select "Open" from the menu.
| Check every file in this folder and make sure you know what they are.
| These files will startup automatically every time you login to your
| systems.
|
| · Windows Scheduler - check if any programs are scheduled to startup at
| any specific time.  Some Trojans use scheduler as a mean for program
| execution.
|
|   o For Windows NT, 2000 and XP systems, use AT command to verify.  Go to
| command prompt and type "at" and if there is any scheduled tasks, it will
| display "Status, ID, Day of execution, Time of execution, and Command line
| to be executed"
|
|   o For Windows 9x/ME systems, use Windows Explorer and go to Task
| Scheduler, which is under My Computer.
|
| · Win.ini (load=Trojan.exe or run=Trojan.exe)
| · system.ini (Shell=Explorer.exe trojan.exe)
| · autoexec.bat - look for added Trojan files, may be in the following file
| extensions: .exe, .scr, .pif, .com, .bat
| · config.sys - look for added Trojan files
| · Any suspicious or new batch files (.BAT), which might call the actual
| Trojan.
|
| Also, watch out for social engineering...  Social engineering?  Yes.
| Don't be fooled by processes or programs with similar and/or exactly the
| same filename as the legitimate Windows system programs.  Many known
| Trojans have included programs with exact same name as Windows system
| programs, but put them into different folders.  Many people lower their
| guard when they see familiar Windows system programs, and some Trojans did
| successfully create deceptions and exploit this human vulnerability.   If
| you just use the Windows Task Manager to check processes, you might be
| fooled if you don't examine them carefully.  You might want to use some
| other tools for detailed examination i.e. pstools from
| www.systeminternals.com.
|
| Here are some sample filename of files included in recent Trojans:
|
| · Explorer.exe - a legitimate program exists in \Windows or \Winnt folder,
| NOT \Windows\system32 or \Winnt\system32, or anywhere else
|
| · Rundll32.exe - a legitimate program exists in \Windows\system32 or
| \Winnt\system32 folder, not anywhere else
|
| · taskmngr.exe - the legitimate program is called "taskmgr.exe", not
| taskmngr.exe"
|
| Let's be vigilant about the files and registries and different places that
| Trojan can touch.
|
| Reference:
| · Ocxdll.exe/mIRC Virus Analysis by KLC Consulting:
| http://www.klcconsulting.net/mirc_virus_analysis.htm
|
| · Deloder worm / IRC worm/Trojan Analysis by KLC Consulting:
| http://www.klcconsulting.net/deloder_virus_analysis.htm
|
| · The Complete Windows Trojans Paper By Dancho Danchev:
| http://www.frame4.com/
|
| · "Where are Trojans hiding?" by KLC Consulting:
| http://www.klcconsulting.net/trojan/trojan_identification.htm
|
| Kyle Lai, CISSP, CISA
| KLC Consulting, Inc.
| klai () klcconsulting net
| www.klcconsulting.net
|
| >Les,
| >
| >> I say it has never executed because contained
| >> in the rar file is a .reg file that adds the trojan
| >> to the
| >> HKLM\Software\Microsoft\Windows\CurrentVersion\Run
| >> key and that key is empty.
| >
| >What about the running processes on the system?  If
| >the key is empty, it may simply have not been able to
| >write to the key.  Keep in mind that the IIS web
| >server runs as a guest on the system.
| >
| >> The folder that that registry entry points to does
| >> not exist either. Also contained in the rar file is
| >> a txt file that lists users and which groups to add
| >> them to, none of these users exist on the system.
| >
| >Again...permissions.
| >
| >> If anyone has had experience with this trojan of
| >> knows where I can find info on it I would be
| >> greatful.
| >
| >Sounds like you have everything available to write an
| >analysis.  Since it looks as if no one has written one
| >yet...  ;-)
| >
| >Harlan
| >
| >__________________________________________________
| >Do you Yahoo!?
| >The New Yahoo! Search - Faster. Easier. Bingo
| >http://search.yahoo.com
| >
|
> --------------------------------------------------------------------------
| --
| >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
| >world's premier event for IT and network security experts.  The two-day
| >Training features 6 hand-on courses on May 12-13 taught by
| professionals.
| >The two-day Briefings on May 14-15 features 24 top speakers with no
| vendor
| >sales pitches.  Deadline for the best rates is April 25.  Register today
| to
| >ensure your place. http://www.securityfocus.com/BlackHat-incidents
|
> --------------------------------------------------------------------------
| --
| >
| >
|
| --------------------------------------------------------------------------
--
| Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
| world's premier event for IT and network security experts.  The two-day
| Training features 6 hand-on courses on May 12-13 taught by professionals.
| The two-day Briefings on May 14-15 features 24 top speakers with no vendor
| sales pitches.  Deadline for the best rates is April 25.  Register today
to
| ensure your place. http://www.securityfocus.com/BlackHat-incidents
| --------------------------------------------------------------------------
--
|
|


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------