Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Method to Clean up IIS servers hit by CRv2

From: "Walling, Ken" <Ken.Walling () usa xerox com>
Date: Mon, 06 Aug 2001 17:32:57 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have verified items 2 and 3 below.  The original settings are in
fact 204 and 205 respectively.

        Ken


- -----Original Message-----
From: Doug.Barbin () guardent com [mailto:Doug.Barbin () guardent com]
Sent: Monday, August 06, 2001 14:57
To: dmuz () angrypacket com; INCIDENTS () securityfocus com
Subject: RE: Method to Clean up IIS servers hit by CRv2


As far as we can tell, there are some significant registry changes
made by
the program. 

1.  SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
is set
to 0FFFFFF9Dh.  It should be set back to zero.  This is an
undocumented
registry setting allows for Windows File Protection to be fully
disabled.  A
value of 0 enables file protection.

2. 
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\Scripts

is set at 217.  We believe the original settings to be 204.

3. 
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\msadc
is
set at 217.  We believe the original settings to be 205.

SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\c and
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\VirtualRoots\d do
not
appear at all and should most likely be deleted.  We believe that
these
facilitate the virtual web root that is created by the rootkit.  

The natural problem with Trojans is . . . how do you know if this
Trojan was
used to deposit another?    

Regards,
DB

Douglas  W. Barbin, CISSP, CFE
  Senior Consultant
  W: 703.535.8203 Ext 6547 E-Fax: 240.331.6030 M: 703.338.4003
  625 N Washington Street, Suite 209
  Alexandria, VA 22314  www.guardent.com
  Text Messaging: <mailto:7033384003 () mobile att net> 
  PGP:  64CB ACA8 0474 B9AF 1B24  6756 FA80 A274 55A3 4122
______________________________________________________
G U A R D E N T  
  Enterprise Security and Privacy Programs



- -----Original Message-----
From: dmuz [mailto:dmuz () angrypacket com]
Sent: Monday, August 06, 2001 2:24 PM
To: INCIDENTS () securityfocus com
Subject: Method to Clean up IIS servers hit by CRv2


Hey folks,  Isn't this fun? (har..)

So what are people doing to clean out IIS servers hit by CRv2?

So far I've been doing the following:

1. Patch the server.

2. Remove root.exe from the web directories.

3. Remove explorer.exe from c: and/or d:

4. reboot.

My main question is do you need to mess with the registry keys that it
alters? Are these reset on reboot or do you need to set them to some
value? If so what values? Or delete them all together?

Thanks,
dmuz




- ------------------------------------------------------------------------
- ----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


- ------------------------------------------------------------------------
- ----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBO28MjlazzDkAkAuFEQIqXgCfQQaUAWmnK+kQRZzx0O37xy4q08wAoOmB
/tKtCj0bJMltilUGOr23BDs5
=q+X0
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: