Security Incidents mailing list archives

worm/Trojans are taking advantage of default path of Windows

From: <kyle () kylelai com>
Date: Mon, 10 Mar 2003 22:35:10 -0500

This is a interesting discovery.  It might not be new to some of you, but I
think it's worth mentioning.

Base on my analysis on the recent worm/Trojan (IRC_SCREWZ), I have noticed
that this worm/Trojan put a filename "EXPLORER.EXE" with no path information
in a registry value under the registry key
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run."  As we
all know, when we try to run a program without any path information, the
system will try to use the %path% environment variable to locate the file
specified.  Therefore, when the system starts, it will look for the file in
"%windir%\system32" folder first, and "%windir%" second based on the default
Windows path.  Since the legitimate Windows Explorer is located at
"%windir%," the worm/Trojan file at "%windir%/system32" will get executed
when system startup instead of the legitimate EXPLORER.EXE.

The default Windows path on Windows 2000 and XP is:
PATH=E:\WINNT\system32;E:\WINNT;E:\WINNT\System32\Wbem

Actual registry value of IRC_SCREWZ worm/Trojan:
"COM+Services" = "explorer.exe"

Reference:
mIRC worm/Trojan analysis: www.klcconsulting.net/mirc_virus_analysis.htm
IRC_SCREWZ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FLOOD.B
I.DR&VSect=T

BTW, on March 8, 2003, I did a experiment to see how fast a Windows 2000
Professional system (honeypot), having the "administrator" userID with no
password,can get infected with IRC type of worms/Trojans on the Internet. I
put the honeypot on a cable modem for 5 hours, and I was infected with 2 IRC
worm/Trojans within this time.  They are identified as "IRC_SCREWZ" and
"W32/Deloder.worm" by the Virus vendors.  If you are interested in the
result of this experiment, the report will be available on  the KLC
Consulting Website on March 11, 2003 at
http://www.klcconsulting.net/irc_experiment1.htm

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai () klcconsulting net
www.klcconsulting.net

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 07)
- Re: Real-world attacks on sendmail CA-2003-07 seen Mike Tancsa (Mar 10)
  - Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
    - worm/Trojans are taking advantage of default path of Windows kyle (Mar 11)
  - Re: Real-world attacks on sendmail CA-2003-07 seen Jeff Kell (Mar 10)
- Re: Real-world attacks on sendmail CA-2003-07 seen jlewis (Mar 10)
  - Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
    - Re: Real-world attacks on sendmail CA-2003-07 seen Juan Gallego (Mar 10)
    - Re: Real-world attacks on sendmail CA-2003-07 seen gabriel rosenkoetter (Mar 11)
- <Possible follow-ups>
- Re: Real-world attacks on sendmail CA-2003-07 seen Curt Wilson (Mar 10)
- RE: Real-world attacks on sendmail CA-2003-07 seen Barry Kokotailo (Mar 10)
  - Re: Real-world attacks on sendmail CA-2003-07 seen Bennett Todd (Mar 10)
  - Re: Real-world attacks on sendmail CA-2003-07 seen james (Mar 10)