Re: Windows MetaFiles still vulnerable

Author	All Replies
prana join:2005-03-22 Australia 4 edits	reply to redxii Re: Windows MetaFiles still vulnerable The exe file it downloads... cj.exe Take this with a grain of salt, this is from a 5 minute disassembly and not detailed. Will do that later when I have more time. Or leave it for the Anti-virus companies WMF exploit has not got a standard Magic Byte 01 00 09 00 00 03 52 1F 00 00 06 00 3D 00 00 00 . ..R...=... non standard magic byte of D7 CD C6 9A The trojan file has two entry points, one for the DLL and one for the PE section. The PE entry point has the following characteristics. Grabs local time. Checks for Windows Internet Connectivity Copies itself into multiple DLLs in System32, dvob.dll, oewrgm.dll, sh.dll, wqxk.dll. Registers CLSID to run as a BHO Opens FTP connection to download a file 66.36.231.141 with username user21 , FTP username password user21:ma5gjdH5 Adds the registry name for the below classes Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Object The following keys are added in the CLSID classes. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03c02f31-a63c-440a-ae37-ac9282f01af7}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67269857-3057-42f4-9233-f9c2abb59953}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{cde6d49d-a863-4d07-aec3-7d83b5ab7ce5}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8bda45f3-735e-4df8-90e9-2c68ed2567b6}\InProcServer32 Appends subkeys to CLSID "Apartment" with a valuename of ThreadingModel to the DLLs Grabs filename of the exe file. Creates mutex name "3094flcxvdf" The FTP site! C:\>ftp 66.36.231.141 Connected to 66.36.231.141. 220 sst User (66.36.231.141:(none)): user21 331 Password required for user21. Password: 230 User user logged in. ftp> ls 200 Port command successful. 150 Opening data connection for directory list. 226 Transfer ok ftp> pwd 257 "/" is current directory. ftp> ls -la 200 Port command successful. 150 Opening data connection for directory list. 226 Transfer ok ftp> The following files are created in your system32 dir dvob.dll oewrgm.dll wqxk.dll sh.dllin the particular sample I tested... which are copies of the trojan downloaded with a different filename for the alternative entry point for the binary edited: some updated info
	to forum · permalink · 2005-12-28 16:37:15 · (locked)
jbob Reach Out and Touch Someone Premium join:2004-04-26 Little Rock, AR	According to Sunbelt Blog: »sunbeltblog.blogspot.com/2005/12···ild.html it's up to over 50 variants and counting now. More sites are popping up too. Earlier I had seen some guys who downloaded a different file.
	to forum · permalink · 2005-12-28 17:04:53 · (locked)
redxii Premium,Mod join:2001-02-26 Sherwood, MI Reviews: ·Clear Wireless ·Suddenlink ·Sprint Mobile Br.. Host: Broadband Tweaks Suddenlink ISDN Fiber Optic AOL Broadband 1 edit	said by jbob: it's up to over 50 variants and counting now. More sites are popping up too. The number of websites seem bloated. There are many websites, but many more call out to a "master" website. You may get it from site 1, 2, 3, 4, and 5 but all those others get the exploit code from say site 4. -- Open Source -> Close Minded Microsoft Windows 2000/XP Security: Some Assembly Required. Excessive use of "$" as in "M$" may make you look like a fool.
	to forum · permalink · 2005-12-28 17:14:53 · (locked)

Broadband Tech > Security > Security > Windows MetaFiles still vulnerable