PaulDotCom mailing list archives
Re: Incident Response
From: Josh Little <josh () zombietango com>
Date: Thu, 01 Jul 2010 11:21:02 -0400
On 7/1/2010 9:58 AM, Craig Freyman wrote:
Not a false positive. Someone used a nasty USB drive that had an autorun virus on it. The autorun.inf had this in it: l~-??A?<K??#?Ê??ed?ª?üXÜ??ÁüFl?æ?eëX?r?:M?à???Ñ?çs?Ç?Oü?EF??ëÓ??ÚÞÊN?d=?ú??[Y?????mÈm!Ã???çñvè?y?Êv_????É-/?Is?ù?,[ [autorun ;e???V open=trikfx/spomenar.exe ;Þm÷?Ç icon=%SystemRoot%\system32\SHELL32.dll,4 ;X]doÝ??a action=Open folder to view files using Windows Explorer ;?ëë$???µ] shell\\open\\\command=trikfx/spomenar.exe ;Là?ÿÜ??Üü`ásáµ????Dþ?é'?µ??rm?ò? shell\\explore\\command=trikfx/spomenar.exe ;??àg'æë? useautoplay=1 VirusTotal for this file: http://www.virustotal.com/analisis/e22b8e9b4fbdb876904373e647306a3f0a8d2c5bbb50e708a87464c83c962dba-1277992532
So did your AV product block the AR script at runtime? If it did, you will then need to verify that the exe did not run on the machine at any time prior. Check things like the various Run and RunOnce keys in the registry, the Windows Prefetch directory, etc. to see if any trace of the named exe (spomenar.exe) exists, or even something similar. You may also want to insert the drive into a Linux or Mac box (some system where the exe won't run or be pulled automatically by AV from the drive) and offload a copy of the exe. Since you have a VT report, you probably have already done this. Submit that exe to someplace like Anubis, CWSandbox, or ThreatExpert. See what these reports say about the immediate activities of the binary after launch. You can then compare this behavior to that seen in the historical record for the machine in question. If the binary makes network calls at launch, see if the machine in question has made the same or similar calls in the past. If you don't have something like Netflow in place, you could even try looking in your DNS server's cache to see if a record exists if the binary makes a call to a hostname instead of an IP. Hope that helps. Josh Little _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: Incident Response Craig Freyman (Jul 01)
- Re: Incident Response Craig Freyman (Jul 01)
- Re: Incident Response Josh Little (Jul 01)
- Re: Incident Response Daniel Holiday (Jul 02)
- Re: Incident Response Mike Patterson (Jul 02)
- Re: Incident Response Craig Freyman (Jul 02)
- Re: Incident Response Daniel Holiday (Jul 02)