Re: Is it really true that NTFS is secure?

From: B. Goodman (no@spam.org)
Date: 12/16/02 

From: B. Goodman <no@spam.org>
Date: Mon, 16 Dec 2002 14:29:43 -0500

In article <On9tyFTpCHA.1236@TK2MSFTNGP12>, hesterloli@hotmail.com
says...
> This is why I hate these Anti Virus Programs. It's because they use a =
> minimum of test to determine if a machine is infected. Case in point.
>
> I had an issue that something called TaskReg which was a string and =
> called an executable w32com.exe. This file was in =
> %SystemRoot%\System32. I removed that file AND put a login\logout =
> shutdown\startup script so that TaskReg got written to the Run key in =
> HKLM without any value.
>
> I just did a test. Sure enough with this empty string the AV is telling =
> me I am infected with the Malware BKDR_TASKREG.A
>
> Now this is a bunch of hocum. This tells me that all I would have to do =
> is pick any virus on Earth that is known to write a entry to the HKLM =
> Run key put the entry in as a empty string and AV software is going to =
> tell me I am infected with that virus. And then tell me I have been =
> cleaned because they removed that entry. Come on. Hocum crap.
>
> I am finding not a damn thing in this machine. Nothing. I looked =
> through all the services that load at boot nothing out of the ordinary. =
> There are some services that are starting that are not Microsoft =
> Services but these are from respectable companies. At least I think =
> they are.
>
> It is the Administrator account that is enabling the user Guest. I see =
> it in my Event Logs. First IUSR_Machine name signs on. Then about 3 =
> minutes later Administrator renables the User Guest. Changes the =
> password too. Then sometimes adds this user to the Administrator Group. =
> Then IUSR_MachineName logs off. Now for all I know this logon by =
> IUSR_MachieName could be me testing my site. Also this changing of the =
> User Guest account will occur many times. As if doing it once is not =
> enough.
>
> I am not sure what I am going to do to stop this. When I ran Windows =
> 2000 Server SP2 I NEVER had this issue. NEVER. And it seems to me if =
> this was an "infection" this would have appeared on the NET long ago. =
> Distraught.
>
> --=20
> George Hester
> __________________________________
> "B. Goodman" <no@spam.org> wrote in message =
> news:MPG.1867beebaa02566f9896d3@msnews.microsoft.com...
> > In article <u5dL92toCHA.1888@TK2MSFTNGP09>, hesterloli@hotmail.com=20
> > says...
> > > "Lock Forever" How? I see it in minutes. Forever is quite a few =
> =3D
> > > minutes. This also looks like lockout will be true for all =
> Accounts.
> > >=20
OK, this may be WAY obvious, and you've probably already checked, but
have you looked at the Run registry key for HKCU when you are logged in
as the admin account that is causing this issue? It seems difficult to
believe that nobody else has reported this behavior, so it still seems
likely to be malware.

I once proved this point to one of our security experts on his test LAN.
I used my "restricted user" account to put a small program into a TEMP
directory and write a key to the HKLM Run key (which hadn't been locked
out!). It would run for every user who logged in. It would test to see
if the user logging in was a domain admin. If not, it would simply
exit. If he was an admin, it would copy itself to c:\winnt under the
name of w32tm.exe. It would add my restricted user account to "Domain
Admins". It would unlock the account if locked out. It then removed
itself from HKLM Run and added itself to HKCU Run. Because it was named
w32tm.exe, even if noticed in the Run key, it wouldn't immediately
attract attention among all the other items that start from there.
Antivirus software ignored it. Once I showed him I had gained admin
rights in his lab, it didn't take him long to find it, but I think that
was mainly because I showed him I had those rights.

You might want to verify EVERY executable in HKCU Run, HKLM Run,
Startup, etc. to be sure it is still the correct program.

Relevant Pages

  • Re: Is it really true that NTFS is secure?
    ... Well I look at both those Run keys; HKLM; HKCU. ... I actually have only two things which are in HKCU Run: ... >> It is the Administrator account that is enabling the user Guest. ... > if the user logging in was a domain admin. ...
    (microsoft.public.security)
  • unable to Log on
    ... Did you leave yourself another admin ... account to get onto the machine? ... >Recenly my system got infected by virus. ... >user name & password without any error message. ...
    (microsoft.public.win2000.security)
  • Re: Must select account when starting winXp
    ... I removed the virus. ... But now I have to select account before starting. ... Eiter admin or my ... Lastly you can add the Dialog box that comes up when running control userpasswords 2 to the Control Panel with the following tweak: ...
    (microsoft.public.windowsxp.general)
  • Re: Must select account when starting winXp
    ... I removed the virus. ... But now I have to select account before starting. ... Eiter admin or my ... Add Control User Passwords2 to the Control Panel ...
    (microsoft.public.windowsxp.general)
  • Re: Event Log - Security - Numerous Failures
    ... Just to say that there is another virus out there which is detailed here on ... which tries to propogate and then access the Admin$ account by trying ... toghether with the existence of some of the account names ...
    (microsoft.public.windows.server.security)