-
August 4th, 2010, 04:01 PM
#11
Same here.
I know that there is malware that will edit that registry entry and may even set it to "null" or blank, which I suppose is what " " is?
Here is an (old) example:
http://www.ca.com/us/securityadvisor....aspx?id=58501
I would have thought that the current entry would mean that the desktop wouldn't load? I just find it odd that so many machines have been affected without someone saying something sooner.
Probably a thing of the past, but in the old days (NT 4) we used to use logon scripts to do that sort of thing.
I would be interested to know what runs when you boot an affected machine? Are the users supposed to get the normal desktop?
-
August 4th, 2010, 05:08 PM
#12
Originally Posted by nihil
Same here.
I know that there is malware that will edit that registry entry and may even set it to "null" or blank, which I suppose is what " " is?
Keep me posted too!
Technically a null entry would be "" not " "
Sorry felt like being a pedantic dick
Originally Posted by nihil
I would have thought that the current entry would mean that the desktop wouldn't load? I just find it odd that so many machines have been affected without someone saying something sooner.
meh, not that surprising really. A lot of malware is meant to avoid detection cleverly hide itself so a standard user does not notice it at all =P AV can only do so much and really is a minor hassle for attackers that aren't script kiddies really what with all the advanced encoding libraries out there. It makes detection via definitions a very difficult task and one that will always be a step behind at best >.<
Originally Posted by nihil
I would be interested to know what runs when you boot an affected machine? Are the users supposed to get the normal desktop?
You should get the seemingly normal desktop unless the attacker doesn't want that >.< It seems weird though that the only weird registry value that stands out is the shell one. I would figure that if an attacker was trying to be very stealthy they would just patch explorer.exe or whatever file they were most concerned with and not change the registry in such a blatant way. It kind of makes me lean a little on the side of windows being windows, but it is definitely something I want more info about.............
-
August 4th, 2010, 07:10 PM
#13
It seems weird though that the only weird registry value that stands out is the shell one. I would figure that if an attacker was trying to be very stealthy they would just patch explorer.exe or whatever file they were most concerned with and not change the registry in such a blatant way. It kind of makes me lean a little on the side of windows being windows, but it is definitely something I want more info about.............
I agree, I can't quite figure out what it is supposed to achieve. Makes me wonder if there might not be another explorer.exe on the systems? Is the original still there and where it should be? AFAIK the explorer value is there by default but if it were null or blank then explorer.exe is the default shell anyway???
As for "windows being windows" that might explain the odd occurrence but not 4,000 instances or even 400?
It looks pretty deliberate to me, but who did it, how and why?
Last edited by nihil; August 4th, 2010 at 08:16 PM.
-
August 6th, 2010, 05:25 PM
#14
As for "windows being windows" that might explain the odd occurrence but not 4,000 instances or even 400?
sure it would. Windows on each box, similar or identical configuration for each box, i would suspect we would see very close behavior. <@):P
But I was wondering if you found anything Byte?
-
August 6th, 2010, 07:10 PM
#15
Nothing ... Just 1 DLL in all images but that was found as an adware (not-a-virus-advertisement-program by Kaspersky)..
The problem was network degradation. Since i look after anti-malware for the company, i was asked to investigate malware issue (since network assurance manager said his side was clear). However as it turns out we gave up on considerable amount of bandwidth (purchased from sister company) and the network dude had given for reduction (he calls is degradation) in bandwidth so someone goofed up in the process leading to the dial up performance.
(rant here)
I did find 4 new variants of w32.SillyFDC (or DFC one of them) and w32.pilleuz but i dont think they are connected to the registry issue. Since i analyzed all the malware samples before submission and they did not modify the reg key i'm talking about.
Last edited by ByTeWrangler; August 6th, 2010 at 07:20 PM.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
August 6th, 2010, 08:04 PM
#16
sure it would. Windows on each box, similar or identical configuration for each box, i would suspect we would see very close behavior. <@):P
I see what you are trying to say, but that would only work if all were mirrored at least in some part (the basics)?
My next move would be to take the corporate mirror image and load it onto an offnet virgin system...............then take a look?
-
August 8th, 2010, 09:45 PM
#17
Originally Posted by ByTeWrangler
Nothing ... Just 1 DLL in all images but that was found as an adware (not-a-virus-advertisement-program by Kaspersky)..
The problem was network degradation. Since i look after anti-malware for the company, i was asked to investigate malware issue (since network assurance manager said his side was clear). However as it turns out we gave up on considerable amount of bandwidth (purchased from sister company) and the network dude had given for reduction (he calls is degradation) in bandwidth so someone goofed up in the process leading to the dial up performance.
(rant here)
I did find 4 new variants of w32.SillyFDC (or DFC one of them) and w32.pilleuz but i dont think they are connected to the registry issue. Since i analyzed all the malware samples before submission and they did not modify the reg key i'm talking about.
did u test them in a VM? Some malware detects a Vm and doesnt reproduce as it would undetected.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
August 10th, 2010, 09:44 AM
#18
I never booted the machine into VM. I just mounted the VM disk on my physical machine and scanned it.. Like i said found nothing!
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
Similar Threads
-
By akachuckie in forum The Security Tutorials Forum
Replies: 8
Last Post: February 24th, 2005, 01:47 AM
-
By The Duck in forum Spyware / Adware
Replies: 14
Last Post: February 24th, 2005, 12:27 AM
-
By Malen Nasharan in forum AntiVirus Discussions
Replies: 2
Last Post: October 27th, 2004, 10:26 PM
-
By helpme2 in forum Spyware / Adware
Replies: 5
Last Post: June 25th, 2004, 05:13 AM
-
By PhirePhreak in forum AntiOnline's General Chit Chat
Replies: 11
Last Post: April 16th, 2002, 04:38 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|