Re: netbuie.exe, and

From: Nick FitzGerald (
Date: 05/08/02

Date: Wed, 08 May 2002 13:19:27 +1200
From: Nick FitzGerald <>

"Edwards, David (JTS)" <> wrote:

> We've just found some instances of "netbuie.exe" running in some terminal
> server sessions here. The file was written to the Winnt\system32 directory
> about 6:00pm on Sunday and registry entries made in:
> HKLM/Software\Microsoft\windows\current version\run
> HKLM/Software\Microsoft\windows\run

First, why do non-admin users even have write access to these keys?

If they don't, you clearly need to revise your site's judgments about
who is worthy of having admin (equivalent) passwords.

> It seems to be a Vb 5 PE that hits on two web sites, and
> when run. Possibly just generating revenue for
> some bod somewhere.

It wouldn't be the first...

> Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server
> patches missing and 2 IE6.
> This sounded familiar (when I first saw it) but I haven't been able to find
> any other references so I thought I'd make one :-) The worry is (of
> course) that the server is further compromised. Anyone seen this before?

Can't help you on the likely entry point, but given that non-admin
users can change crucial registry key contents or that some of your
admins are incompetent, I'm not sure that compromise via open
security vulnerabilities is the most obvious path of entry...

Anyway, aside from resolving how it got on your machines, please send
samples to your preferred antivirus developers. If this thing is
being actively spread (regardless of how) getting detection of it
into virus scanners is the best technique to reduce its continued
spread. To save you digging them out, here are the sample submission
addresses of the better-known AV developers:

   Command Software <>
   Computer Associates (US) <>
   Computer Associates (Vet/EZ) <>
   DialogueScience (Dr. Web) <>
   Eset (NOD32) <>
   F-Secure Corp. <>
   Frisk Software (F-PROT) <>
   Grisoft (AVG) <>
   Kaspersky Labs <>
   Network Associates (McAfee) <>
   Norman (NVC) <>
   Sophos Plc. <>
   Symantec (Norton) <>
   Trend Micro (PC-cillin) <>
     (Trend may only accept files from registered users of its

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: