Re: Why the shutdown if infected with blaster?

From: Ronald Schmidt (rschmidt_at_eisb.org)
Date: 08/18/03

  • Next message: Marc Fossi: "Article Announcement: MRTG for Intrusion Detection with IIS 6" 
    Date: Mon, 18 Aug 2003 13:24:15 -0400
To: stefmit <stefmit@comcast.net>, <focus-ms@securityfocus.com>

    Good Day Stef,

    We found setting registry key

    HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot to '0'(hex)

    Note:

    Please note that we made the HDD a slave to a stand-alone 'safe' box and loaded the system hive into the new boxes registry to make the edit.
    (we couldn't even boot to a command prompt)

    Which made the old machine incapable of booting (corrupt system registry)

    However, the corruption was probably my own inexperiance with registry manipulation.

    Hope that gives a little food for thought and grounds for further research.

    Regards

    Ron

    ---------- Original Message ----------------------------------
    From: stefmit <stefmit@comcast.net>
    Date: Fri, 15 Aug 2003 11:23:08 -0500

    >Is there any way to change the recovery mode of this service, from a command
    >prompt (CLI), as the GUI takes much longer to load, and the system already
    >reboots at that stage?
    >
    >TIA,
    >Stef
    >
    >On Wednesday 13 August 2003 11:12 am, Jonathan Rickman wrote:
    >> On Tuesday 12 August 2003 18:54, Carlos Baez Ortíz wrote:
    >> > Can someone please explain what is the relation between the blaster worm
    >> > and the remote shutdown from the infected system?
    >>
    >> The RPC service fails due to the initial exploit. Windows is set to reboot
    >> by default on RPC failure because the system is so dependent on it, but you
    >> can change this behavior in the service properties dialog.
    >
    >
    >---------------------------------------------------------------------------
    >Your network firewall and IDS products do not prevent Web application
    >attacks - the most common form of online exploitation- resulting in Web
    >defacement, data theft, sabotage and fraud.
    >KaVaDo is the only company that provides a complete suite of Web
    >application security products.
    >Download a FREE whitepaper on "Security Policy Automation for Web
    >Applications":http://www.securityfocus.com/Kavado-focus-ms
    >---------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    KaVaDo provides the first and only integrated Web application scanner and
    firewall security suite that prevent Web applications attacks, the most
    common form of online exploitation. Download a FREE whitepaper on Security Policy Automation for Web Applications.
    http://www.securityfocus.com/sponsor/KaVaDo_focus-ms_030818
    ---------------------------------------------------------------------------

  • Next message: Marc Fossi: "Article Announcement: MRTG for Intrusion Detection with IIS 6"

    Relevant Pages

    • Re: VB6 File Association with my Application problem
      ... programs that use the Windows Registry are ... >for example, converted to Javascripts running on the client machine, ... >they can't access the client Registry, ... at least) in making any of them web applications. ...
      (comp.programming)
    • Re: Web Browser File Association
      ... You are forgetting a very important thing: Web applications cannot ... access the registry on the client's computer. ... Desktop applications can ... registers the file type '.abc'. ...
      (microsoft.public.dotnet.framework.aspnet)
    • Quantcast