The following was posted by aladin168 to the security focus incidents mailing list and looked useful enough to share.
****************************************************
In-Reply-To: <20030417230836.23848.qmail@web41603.mail.yahoo.com>

By Kyle Lai, CISSP, CISA, KLC Consulting, Inc., www.klcconsulting.net Where are Trojans hiding in your systems? In any cases of virus/worm/Trojan infections, we should not automatically assume that HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key is the only place Trojans try to tamper, otherwise we would be in a false sense of security TRAP. There are many other places on a Windows system that Trojans can add scripts and shortcuts to startup Trojan processes: · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] · [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOn ce] · [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] · [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] Note: For the following registry keys, the key value should be exactly "% 1 %*" . Any programs that are added to the key value will get executed every time a binary file (.exe, .com) is executed, i.e."Trojan.exe %1 %*". · [HKEY_CLASSES_ROOT\exefile\shell\open\command] · [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] Also, check: · Startup folder: to go to this folder, click on Start->Programs- >Startup, and right click on Startup and select "Open" from the menu. Check every file in this folder and make sure you know what they are. These files will startup automatically every time you login to your systems. · Windows Scheduler - check if any programs are scheduled to startup at any specific time. Some Trojans use scheduler as a mean for program execution. o For Windows NT, 2000 and XP systems, use AT command to verify. Go to command prompt and type "at" and if there is any scheduled tasks, it will display "Status, ID, Day of execution, Time of execution, and Command line to be executed" o For Windows 9x/ME systems, use Windows Explorer and go to Task Scheduler, which is under My Computer. · Win.ini (load=Trojan.exe or run=Trojan.exe) · system.ini (Shell=Explorer.exe trojan.exe) · autoexec.bat - look for added Trojan files, may be in the following file extensions: .exe, .scr, .pif, .com, .bat · config.sys - look for added Trojan files · Any suspicious or new batch files (.BAT), which might call the actual Trojan. Also, watch out for social engineering... Social engineering? Yes. Don't be fooled by processes or programs with similar and/or exactly the same filename as the legitimate Windows system programs. Many known Trojans have included programs with exact same name as Windows system programs, but put them into different folders. Many people lower their guard when they see familiar Windows system programs, and some Trojans did successfully create deceptions and exploit this human vulnerability. If you just use the Windows Task Manager to check processes, you might be fooled if you don't examine them carefully. You might want to use some other tools for detailed examination i.e. pstools from www.systeminternals.com. Here are some sample filename of files included in recent Trojans: · Explorer.exe - a legitimate program exists in \Windows or \Winnt folder, NOT \Windows\system32 or \Winnt\system32, or anywhere else · Rundll32.exe - a legitimate program exists in \Windows\system32 or \Winnt\system32 folder, not anywhere else · taskmngr.exe - the legitimate program is called "taskmgr.exe", not taskmngr.exe" Let's be vigilant about the files and registries and different places that Trojan can touch. Reference: · Ocxdll.exe/mIRC Virus Analysis by KLC Consulting: http://www.klcconsulting.net/mirc_virus_analysis.htm · Deloder worm / IRC worm/Trojan Analysis by KLC Consulting: http://www.klcconsulting.net/deloder_virus_analysis.htm · The Complete Windows Trojans Paper By Dancho Danchev: http://www.frame4.com/ · "Where are Trojans hiding?" by KLC Consulting: http://www.klcconsulting.net/trojan/...tification.htm Kyle Lai, CISSP, CISA KLC Consulting, Inc. klai@klcconsulting.net www.klcconsulting.net >Les, > >> I say it has never executed because contained >> in the rar file is a .reg file that adds the trojan >> to the >> HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> key and that key is empty. > >What about the running processes on the system? If >the key is empty, it may simply have not been able to >write to the key. Keep in mind that the IIS web >server runs as a guest on the system. > >> The folder that that registry entry points to does >> not exist either. Also contained in the rar file is >> a txt file that lists users and which groups to add >> them to, none of these users exist on the system. > >Again...permissions. > >> If anyone has had experience with this trojan of >> knows where I can find info on it I would be >> greatful. > >Sounds like you have everything available to write an >analysis. Since it looks as if no one has written one >yet... ;-) > >Harlan > >__________________________________________________ >Do you Yahoo!? >The New Yahoo! Search - Faster. Easier. Bingo >http://search.yahoo.com > >-------------------------------------------------------------------------- -- >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the >world's premier event for IT and network security experts. The two-day >Training features 6 hand-on courses on May 12-13 taught by professionals. >The two-day Briefings on May 14-15 features 24 top speakers with no vendor >sales pitches. Deadline for the best rates is April 25. Register today to >ensure your place. http://www.securityfocus.com/BlackHat-incidents >-------------------------------------------------------------------------- -- > >
----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------