Threat Level: green Handler on Duty: John Bambenek

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Information to Help Track Down Infections From WGAREG.EXE

Published: 2006-08-13
Last Updated: 2006-08-13 16:03:56 UTC
by Deborah Hale (Version: 1)
0 comment(s)
Many thanks to Andreas, one of our readers from Germany.  He has provided us with the results of his research and where he found tracks left by the install.  He has agreed to allow us to share the information with our readers.

From Andreas analysis:

[1] The exploit might also have entered using some java "hole", since I found a trace in ..\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ with a handful of highly suspicious .jar and .zip files.

[2] C:\WINNT\NT contained a file named NRCS.EXE, 25,185 bytes in length.

[3] C:\WINNT\Debug contained a file named dcpromo.log.

[4] Found malicious registry keys in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAVM

YOU CANNOT EVEN DELETE THOSE IN SAFE MODE!

See information below for a method to remove these keys.

[5] NOD32v2.......1.1704/20060811....found [a variant of Win32/IRCBot.OO]

[6] The malicious program disguised as a .jpg in C:\Documents and Settings\Default User\Temporary Internet Files\Content.IE5\<some random folder>.

According to Andreas it has behavior very close to CUEBOT-K.

Sophos Cuebot-K

Cuebot-K is believed to be spreading through AIM or AOL neither of which he has installed. 

We hope this will give you some places to look for the tracks of this new malicious program.

Updated

Again Andreas has provided us with some terrific information. He has figured out how to remove the registry keys. Here is his information.

1. Use REGEDT32, *not* regedit!

2. Check current real time. Supposed it's 16:30.

3. In DOS prompt:
at 16:31 /interactive regedt32.exe

This will - after 1 minute - open regedt32.exe with SYSTEM rights!!! (yes there is something _more_ powerful than an Administrator in Windows). And automagically - the keys can be violently deleted.

As an alternate, you can open the registry editor with "administrator" rights and then give yourself "full control" on the registry key in question. By default, the keys under CurrentControlSet\Enum are accessible only to the all-powerful SYSTEM user, but this is for good reason. Delete or change the wrong key under \Enum, and your Windows installation will turn into an inert heap of bytes. So tread carefully!

Keywords:
0 comment(s)
Diary Archives