Re: Virus? - Disable .EXE, .COM, .LNK and group policy.

From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 05/27/05 

Date: Fri, 27 May 2005 12:08:56 +0200

On Thu, 26 May 2005 18:24:08 +0300, Zvi Netiv
>"Brian Hoyt" <hoyty@hoyty.com> wrote:

>Run www.invircible.com/download/fix_exe.reg. It's a registry merge file that
>fixes the "shell open" command association that are stolen by many malware.

Something like this?

<paste>
REGEDIT4

[HKEY_CLASSES_ROOT\.bat]
@="batfile"

[HKEY_CLASSES_ROOT\.com]
@="comfile"

[HKEY_CLASSES_ROOT\.exe]
"Content Type"="application/x-msdownload"
@="exefile"

[HKEY_CLASSES_ROOT\batfile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open]
@=""
"EditFlags"=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

;; > Set up your own private executable "fire escape" here,
;; replacing "xyz" with your desired extension

; [HKEY_CLASSES_ROOT\.xyz]
; "Content Type"="application/x-msdownload"
; @="privateexec"

; [HKEY_CLASSES_ROOT\privateexec\shell\open]
; @=""
; "EditFlags"=hex:00,00,00,00

; [HKEY_CLASSES_ROOT\privateexec\shell\open\command]
; @="\"%1\" %*"

;; <

</paste>

>stubborn cases, you will have to run the merge file in safe mode *with command
>prompt* to regain control on your utilities, that will let you find out how that
>malware initializes. Which is what you are after.

You may have to do some more dancing, such as renaming REGEDIT.EXE to
something else, if .EXE is mis-associated and/or the name is blocked.
If Regedit.exe is blocked at a deeper level, you may have to operate
from outside the infected OS altogether.

Creating a private executable extension is one tactic to bypass HKRC
attacks, in that you can run a renamed REdit.xyz file in such cases.

You can combine these things...
  - redirected standard .ext
  - renamed engine executables
  - private .ext
...to "privatize" risky functionalities, in such cases. Beware of
subsystem updates, patches, and SFP, as these can undermine your
efforts by re-exposing the dangerous functionality.

For example, in Win98SE and older, this is easy:
  - .vbs etc. -> textfile -> Notepad
  - Ren WScript.exe WSPriv.exe from DOS mode
  - Ren CScript.exe CSPriv.exe from DOS mode
  - .wyx -> privatescript -> WSPriv.exe
  - .cyx -> privatescript -> CSPriv.exe

Now you can use .wyz and .cyz files as stand-alone scripts, but
dropped stand-alone script files will come up in Notepad for scrutiny.

You can try the same tactic to privatize .REG and Regedit, but as
there are other ways to the registry, don't expect to be bulletproof.

>---------- ----- ---- --- -- - - - -
   Gone to bloggery: http://cquirke.blogspot.com
>---------- ----- ---- --- -- - - - -