Confused here.

When I d/l winmain.exe and then click on the exe, I get no alert from WG - why is that?

From the log:

FILE: C:\WINDOWS\SYSTEM32\notepad.exe
CLASS: Application
PARAMS:
FOLDER: C:\Documents and Settings\Pete Yevchak
FILE EXECUTION - 11:44:38 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winmain.zip
CLASS: WinZip File
PARAMS:
FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop
FILE EXECUTION - 11:52:13 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Documents and Settings\Pete Yevchak\Local Settings\Temp\winmain.exe
PARAMS:
FOLDER:
FILE EXECUTION - 11:52:21 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winlog.zip
CLASS: WinZip File
PARAMS:
FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop
FILE EXECUTION - 11:52:32 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winmain.zip
CLASS: WinZip File
PARAMS:
FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop
FILE EXECUTION - 11:53:07 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\unzipped\winmain\winmain.exe
CLASS: Application
PARAMS:
FOLDER: C:\unzipped\winmain
FILE EXECUTION - 11:53:53 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Defensive Tools\WormGuard\wguard.exe
CLASS: Application
PARAMS:
FOLDER: C:\Defensive Tools\WormGuard
FILE EXECUTION - 11:55:06 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Defensive Tools\wguard.log
CLASS: Text Document
PARAMS:
FOLDER: C:\Defensive Tools
FILE EXECUTION - 11:55:44 07/30/2003 by user PETE YEVCHAK on computer COMPUTER

And, yes, I do have the dot in the button in front of "Display a messagebox regarding the block" activated .

Did the thing execute or not?

Why didn't I get an alert?

HTA is in the "Blocked Filetypes" Blocking Editor, "Deep-Search files" is checked and the "Test" button is telling me WG is working.

I didn't even get the question box from WG asking me what to do with the file???

What gives?

Pete

From what I have understood :winmain.exe starts MSHTA.EXE which enables any hta script to be executed.
So there is no hostile code in winmain.exe
Dolf

Oh, yeah - right at the moment I have three instances of mshta.exe running!

lol!

Woe is me!

This isn't particularly striking me as being "protected" by WormGuard, guys. Pete

hmm, have you tried to load that htanotepad.hta ?
Dolf

Yeah. What was i supposed to have saved it as? An hta file? Or a text file? Pete

yes : .hta

Hey Pete,

I agree with Dolf, here. Though I have not studied this issue in any depth, I believe that all the WinMain does, as Dolf mentioned, is to ensure that MSHTA is up all the time and ready to handle any (perhaps dubious) request. WG is not intended to keep MSHTA disabled, or to warn when it starts but it *is* supposed to protect you from any hta scripts you encounter. Have you tried this? Given this issue, I would expect someone to set up a test page that would allow you to see if a test HTA sploit would get through your defenses. I don't know of any yet but it might be worthwhile to look for. (If you find one let us know! :) )

Dan

I think my file associations are all screwed up.

Would re-installing WG re-associate the files that are suppoedly being watched by WG with WG? Pete

blocked list of WG

mmmm, not sure if I understand you right. Regarding the OS file associations, WG is not involved at all (at least it isn't on my machine :o :D ) . The hook handles everything. Or did you mean something in the WG interface?

{QUOTE-> I don't know of any yet but it might be worthwhile to look for. (If you find one let us know! )
<-QUOTE}
Dan look here
http://www.wilderssecurity.com/showthread.php?t=11852;start=msg76613#msg76613
it's supposed to be harmless
Dolf

Lol, I haven't got that far down in the forum yet!

Awesome, Dolf! You get a karma cookie for that one!

Thanks

The only way I could get WG to alarm on the htanotepad.hta file was to directly associate HTA files with the wormguard.exe

no need to have a file assosiation.
You have Protection enabled in WG?
Seen screenshot above ?

Something is wrong then, I just doublechecked my associations for HTA in particular and it is associated normally with mshta; yet if I run the hta file that Dolf provided I get the WG raspberry.

Are you sure you have .hta listed in the "Blocked File Types" list in WG? If so, maybe a reinstall of WG is warranted then ???

Yes, HTA is listed (read my post up yonder).

Directly associating HTA with the WG exe was also the only way I could get WG to alert on the "OpenPorts.hta" file that Jason Levine put up on the DSLR thread, here: http://www.dslreports.com/forum/remark,7532389~root=security,1~mode=flat;start=0

Of course, that brings up the question - why - even though WG blocked it - wasn't i given the opportunity to tell WG what to do with the file?

I am the administrator and running in my own profile.

Crap. Pete

Anything you have listed in the Blocked section is blocked outright with no mediation. If you remove the .hta extention from the blocked list the normal WG protection is still evident. For instance, after removing .hta from my blocked file list I doubleclicked on the .hta file and got this warning from WG

Risk Assessment: Medium

*> Script Analysis: Security risks detected.
WormGuard Script Analysis:

> Access to .hta file(s)
> Accesses the file system.
> Opens text file(s) for reading.
> Writes data to file(s).
> Creates text file(s).

followed by the body of the script.

Since whatever is hindering the proper blocking of hta is probably impacting the other "blocked" settings I would recommend that you de-activate protection, uninstall and then reinstall and re-activate.

You CAN have a choice!

From the WG Helpfile:
{QUOTE-> Filetype-blocking allows you to completely disallow certain filetypes from being able to run on your system. As an example, if you don't have a need for VBS scripts, you may want to add .VBS to the blocked filetype list to prevent any accidents from happening in the future. By default, WormGuard will block .VBE, .JSE, .SHS and .SHA files. If you have a use for these files (most don't), you can easily remove the blocks by selecting the filetype and clicking the Remove button. Any filetypes may be blocked except for the primary executables - .EXE and .COM.
<-QUOTE}

{QUOTE-> quoting: spy1 link=board=6;threadid=11878;start=15#msg76654 date=1059587378]
Crap. <-QUOTE}

Looks familiar ??

{QUOTE-> quoting: Dollefie link=board=6;threadid=11878;start=0#msg76630 date=1059582753]
From what I have understood :winmain.exe starts MSHTA.EXE which enables any hta script to be executed.
So there is no hostile code in winmain.exe
Dolf
<-QUOTE}

More exactly, this particular winmain.exe starts MSHTA.EXE which calls a c:\winlog.html file.

ROFL ;D ;D

{QUOTE-> quoting: TonyKlein link=board=6;threadid=11878;start=15#msg76659 date=1059590389]
More exactly, this particular winmain.exe starts MSHTA.EXE which calls a c:\win.html file.
<-QUOTE}
Thanks for the explanation Tony
What does win.html do ?
Dolf

Well, that's the $10,000 question, really.

It's heavily coded.

However, here's some interesting info Spywareinfo's mjc found in the decoded file:

{QUOTE-> Here is some mighty interesting info.........

193.125.201.54 this is the website in the decoded htm file.....

Belongs to one Mr Sergeev

person: Maxim V. Sergeev
address: CJSC Quantum
address: 21 n.r. Smolenka
address: Saint-Petersburg
address: Russia
phone: +7 812 327-6131
phone: +7 812 321-8801
phone: +7 812 321-8860
fax-no: +7 812 327-6131
e-mail: admin@quantum.ru
nic-hdl: MVS31-RIPE
notify: admin@quantum.ru
changed: admin@quantum.ru 19990327
source: RIPE


193.125.201.50 one of the cws hijack family.......

person: Maxim V. Sergeev
address: CJSC Quantum
address: 21 n.r. Smolenka
address: Saint-Petersburg
address: Russia
phone: +7 812 327-6131
phone: +7 812 321-8801
phone: +7 812 321-8860
fax-no: +7 812 327-6131
e-mail: admin@quantum.ru
nic-hdl: MVS31-RIPE
notify: admin@quantum.ru
changed: admin@quantum.ru 19990327
source: RIPE


Ummmmmmmm....pass the tinfoil, Pieter.....

Although, this seems a little odd....

Domain name: MYSEARCHNOW.COM


Administrative Contact:

Live, Media webmaster@lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
+ 44 7817 130 743


This one is interesting........

Technical Contact, Zone Contact:

<a href="http://white-pages.com">Buy This Domain</a>
RN, WebReg
4200 Wisconsin Ave NW
Washington, DC 20016-2143
US
202-478-0990
202-478-0990 [fax]
brokerage@buydomains.com

hmmm.......

Registrant:

Asher Nahmias
TA-DOAR: 2273
Ashdod, il 77122
IL


Registrar: DOTSTER
Domain Name: JETSEEKER.COM
Created on: 26-NOV-02
Expires on: 26-NOV-04
Last Updated on: 01-JUL-03 <-QUOTE}

Well, looks like a nice job for Ethereal, if I ever get my hands on those files....