Silent Runners VBS script available
From: Andrew Aronoff (ntbugtraq.sub_at_AARONOFF.COM)
Date: 05/12/04
- Previous message: Russ: "Re: Alert: MS04-015 - corrected URL"
- Next in thread: Thor Larholm: "Re: Silent Runners VBS script available"
- Maybe reply: Thor Larholm: "Re: Silent Runners VBS script available"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 May 2004 13:13:12 +0200 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Hello,
I tried to use REGEDIT on an XP Home system to look for viruses, but
REGEDIT kept closing due to the presence of the GAOBOT worm. I wanted
a fast, easy way to query the registry for everything
out-of-the-ordinary that was launched at startup and I wanted to be
able to take it away in a text file for study on another, uninfected
PC. This was the motivation behind the VBS script "Silent Runners".
The script has been tested under W98 (Gold and SE), NT4, W2K and WXP.
It uses WMI to query the registry and if the W98/NT4 box it's on
doesn't have WMI installed, it'll direct the default browser to the
appropriate MS download site to fetch it.
The script does not change anything. It merely finds (most) everything
that's starting up locally (this iteration won't run over a network),
squelches reporting of expected values (such as a path-less
explorer.exe cited as the shell) and writes to a text file in the same
directory as the script. It's a very quick way to see where many
incarnations of malware might be nestled and to document a given PC's
configuration.
If anyone wants a copy, please let me know. I'll send you a link to
the script as well as its MD5 hash. You *must* compare that to the
hash of the file you download. MD5.EXE can be downloaded here:
http://www.fourmilab.ch/md5/md5.zip
For reference, here's a list of the keys, values and folders that are
checked and the O/S's to which each is believed to pertain:
1. HKCU\SOFTWARE\Microsoft\Command Processor\AutoRun (NT4+)
2. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ (NT4+)
3. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ (All)
4. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (All)
5. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\ (W2K)
6. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\ (W98)
7. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ (W98)
8. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load (NT4+)
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run (NT4+)
9. HKLM\SOFTWARE\Microsoft\Command Processor\AutoRun (NT4+)
10. HKLM\Software\Microsoft\Active Setup\Installed Components\ (All)
11. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ (All)
12. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ (NT4+)
13. HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ (All)
14. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (All)
15. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\ (NT4/W2K)
16. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ (All)
17. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ (W98)
18. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ (W98)
19. HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ (All)
20. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (NT4+)
21. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (NT4+)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System (NT4+)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (NT4+)
22. HKLM\Software\Classes\batfile\shell\open\command\ (All)
23. HKLM\Software\Classes\comfile\shell\open\command\ (All)
24. HKLM\Software\Classes\exefile\shell\open\command\ (All)
25. HKLM\Software\Classes\htafile\shell\open\command\ (All)
26. HKLM\Software\Classes\piffile\shell\open\command\ (All)
27. WIN.INI [windows] load=, run= (W98)
28. SYSTEM.INI [boot] shell= (W98)
29. %WINDIR%\Start Menu\Programs\Startup (W98)
30. %USERPROFILE%\Start Menu\Programs\Startup (NT4+)
31. %ALLUSERSPROFILE%\Start Menu\Programs\Startup (NT4+)
If I've left anything out or you believe I've cited something
erroneous, please let me know.
Note to Microsoft:
You really oughta document this stuff correctly somewhere:
KB 179365 has vague wording and appears to apply #17 & #18 to NT4+.
KB 137367 excludes these two keys from NT4+ systems; I believe this is
correct.
Neither of the first two articles mentions #16, but KB 232487 asserts
it applies to W98 and KB 232509 throws in W2K for good measure.
KB 314866 pertains to WXP only and restricts itself to 4 keys (#3, #4,
#13, #14), but as the above list illustrates, there are many more.
Finally, I tender the following observations:
1. There are truly a *lot* of ways to launch a program at Windows
startup and some of them are scary (#10 in particular).
2. If one were to design a secure system, it surely wouldn't look
like this.
3. Most malware doesn't bother to hide, which is a relief, since
there are some niches that are devilishly difficult to detect with
REGEDIT, should it still be allowed to launch.
regards, Andy
-----
Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <https://ticsa.trusecure.com> for certification details and <http://www.infosecuritycanada.com> for conference information. Become TICSA certified and see what happens!
-----
- Previous message: Russ: "Re: Alert: MS04-015 - corrected URL"
- Next in thread: Thor Larholm: "Re: Silent Runners VBS script available"
- Maybe reply: Thor Larholm: "Re: Silent Runners VBS script available"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
