Why no alert on winmain.exe f/WG?

spy1 · #1 July 30th, 2003, 12:12 PM

Confused here.

When I d/l winmain.exe and then click on the exe, I get no alert from WG - why is that?

From the log:

FILE: C:\WINDOWS\SYSTEM32\notepad.exe
CLASS: Application
PARAMS:
FOLDER: C:\Documents and Settings\Pete Yevchak
FILE EXECUTION - 11:44:38 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winmain.zip
CLASS: WinZip File
PARAMS:
FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop
FILE EXECUTION - 11:52:13 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Documents and Settings\Pete Yevchak\Local Settings\Temp\winmain.exe
PARAMS:
FOLDER:
FILE EXECUTION - 11:52:21 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winlog.zip
CLASS: WinZip File
PARAMS:
FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop
FILE EXECUTION - 11:52:32 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winmain.zip
CLASS: WinZip File
PARAMS:
FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop
FILE EXECUTION - 11:53:07 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\unzipped\winmain\winmain.exe
CLASS: Application
PARAMS:
FOLDER: C:\unzipped\winmain
FILE EXECUTION - 11:53:53 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Defensive Tools\WormGuard\wguard.exe
CLASS: Application
PARAMS:
FOLDER: C:\Defensive Tools\WormGuard
FILE EXECUTION - 11:55:06 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
---
FILE: C:\Defensive Tools\wguard.log
CLASS: Text Document
PARAMS:
FOLDER: C:\Defensive Tools
FILE EXECUTION - 11:55:44 07/30/2003 by user PETE YEVCHAK on computer COMPUTER

And, yes, I do have the dot in the button in front of "Display a messagebox regarding the block" activated .

Did the thing execute or not?

Why didn't I get an alert?

HTA is in the "Blocked Filetypes" Blocking Editor, "Deep-Search files" is checked and the "Test" button is telling me WG is working.

I didn't even get the question box from WG asking me what to do with the file

What gives?

Pete

DolfTraanberg · #2 July 30th, 2003, 12:32 PM

From what I have understood :winmain.exe starts MSHTA.EXE which enables any hta script to be executed.
So there is no hostile code in winmain.exe
Dolf

spy1 · #3 July 30th, 2003, 12:40 PM

Oh, yeah - right at the moment I have three instances of mshta.exe running!

lol!

Woe is me!

This isn't particularly striking me as being "protected" by WormGuard, guys. Pete

DolfTraanberg · #4 July 30th, 2003, 12:44 PM

hmm, have you tried to load that htanotepad.hta ?
Dolf

spy1 · #5 July 30th, 2003, 12:47 PM

Yeah. What was i supposed to have saved it as? An hta file? Or a text file? Pete

DolfTraanberg · #6 July 30th, 2003, 12:48 PM

yes : .hta

Dan Perez · #7 July 30th, 2003, 12:51 PM

Hey Pete,

I agree with Dolf, here. Though I have not studied this issue in any depth, I believe that all the WinMain does, as Dolf mentioned, is to ensure that MSHTA is up all the time and ready to handle any (perhaps dubious) request. WG is not intended to keep MSHTA disabled, or to warn when it starts but it *is* supposed to protect you from any hta scripts you encounter. Have you tried this? Given this issue, I would expect someone to set up a test page that would allow you to see if a test HTA sploit would get through your defenses. I don't know of any yet but it might be worthwhile to look for. (If you find one let us know!

)

Dan

spy1 · #8 July 30th, 2003, 12:55 PM

I think my file associations are all screwed up.

Would re-installing WG re-associate the files that are suppoedly being watched by WG with WG? Pete

DolfTraanberg · #9 July 30th, 2003, 12:59 PM

blocked list of WG

Dan Perez · #10 July 30th, 2003, 01:02 PM

mmmm, not sure if I understand you right. Regarding the OS file associations, WG is not involved at all (at least it isn't on my machine

) . The hook handles everything. Or did you mean something in the WG interface?

DolfTraanberg · #11 July 30th, 2003, 01:03 PM

Quote:

I don't know of any yet but it might be worthwhile to look for. (If you find one let us know! )

Dan look here
http://www.wilderssecurity.com/showt...76613#msg76613
it's supposed to be harmless
Dolf

Dan Perez · #12 July 30th, 2003, 01:13 PM

Lol, I haven't got that far down in the forum yet!

Awesome, Dolf! You get a karma cookie for that one!

Thanks

spy1 · #13 July 30th, 2003, 01:15 PM

The only way I could get WG to alarm on the htanotepad.hta file was to directly associate HTA files with the wormguard.exe

DolfTraanberg · #14 July 30th, 2003, 01:22 PM

no need to have a file assosiation.
You have Protection enabled in WG?
Seen screenshot above ?

Dan Perez · #15 July 30th, 2003, 01:22 PM

Something is wrong then, I just doublechecked my associations for HTA in particular and it is associated normally with mshta; yet if I run the hta file that Dolf provided I get the WG raspberry.

Are you sure you have .hta listed in the "Blocked File Types" list in WG? If so, maybe a reinstall of WG is warranted then

spy1 · #16 July 30th, 2003, 01:46 PM

Yes, HTA is listed (read my post up yonder).

Directly associating HTA with the WG exe was also the only way I could get WG to alert on the "OpenPorts.hta" file that Jason Levine put up on the DSLR thread, here: http://www.dslreports.com/forum/rema...e=flat;start=0

spy1 · #17 July 30th, 2003, 01:49 PM

Of course, that brings up the question - why - even though WG blocked it - wasn't i given the opportunity to tell WG what to do with the file?

I am the administrator and running in my own profile.

Crap. Pete

Dan Perez · #18 July 30th, 2003, 01:58 PM

Anything you have listed in the Blocked section is blocked outright with no mediation. If you remove the .hta extention from the blocked list the normal WG protection is still evident. For instance, after removing .hta from my blocked file list I doubleclicked on the .hta file and got this warning from WG

Risk Assessment: Medium

*> Script Analysis: Security risks detected.
WormGuard Script Analysis:

> Access to .hta file(s)
> Accesses the file system.
> Opens text file(s) for reading.
> Writes data to file(s).
> Creates text file(s).

followed by the body of the script.

Since whatever is hindering the proper blocking of hta is probably impacting the other "blocked" settings I would recommend that you de-activate protection, uninstall and then reinstall and re-activate.

DolfTraanberg · #19 July 30th, 2003, 02:10 PM

You CAN have a choice!

From the WG Helpfile:

Quote:

Filetype-blocking allows you to completely disallow certain filetypes from being able to run on your system. As an example, if you don't have a need for VBS scripts, you may want to add .VBS to the blocked filetype list to prevent any accidents from happening in the future. By default, WormGuard will block .VBE, .JSE, .SHS and .SHA files. If you have a use for these files (most don't), you can easily remove the blocks by selecting the filetype and clicking the Remove button. Any filetypes may be blocked except for the primary executables - .EXE and .COM.

DolfTraanberg · #20 July 30th, 2003, 02:38 PM

Quote:

quoting: spy1 link=board=6;threadid=11878;start=15#msg76654 date=1059587378]
Crap.

Looks familiar ??

TonyKlein · #21 July 30th, 2003, 02:39 PM

Quote:

quoting: Dollefie link=board=6;threadid=11878;start=0#msg76630 date=1059582753]
From what I have understood :winmain.exe starts MSHTA.EXE which enables any hta script to be executed.
So there is no hostile code in winmain.exe
Dolf

More exactly, this particular winmain.exe starts MSHTA.EXE which calls a c:\winlog.html file.

Dan Perez · #22 July 30th, 2003, 02:40 PM

ROFL

DolfTraanberg · #23 July 30th, 2003, 03:08 PM

Quote:

quoting: TonyKlein link=board=6;threadid=11878;start=15#msg76659 date=1059590389]
More exactly, this particular winmain.exe starts MSHTA.EXE which calls a c:\win.html file.

Thanks for the explanation Tony
What does win.html do ?
Dolf

TonyKlein · #24 July 30th, 2003, 03:21 PM

Well, that's the $10,000 question, really.

It's heavily coded.

However, here's some interesting info Spywareinfo's mjc found in the decoded file:

Quote:

Here is some mighty interesting info.........

193.125.201.54 this is the website in the decoded htm file.....

Belongs to one Mr Sergeev

person: Maxim V. Sergeev
address: CJSC Quantum
address: 21 n.r. Smolenka
address: Saint-Petersburg
address: Russia
phone: +7 812 327-6131
phone: +7 812 321-8801
phone: +7 812 321-8860
fax-no: +7 812 327-6131
e-mail: admin@quantum.ru
nic-hdl: MVS31-RIPE
notify: admin@quantum.ru
changed: admin@quantum.ru 19990327
source: RIPE

193.125.201.50 one of the cws hijack family.......

person: Maxim V. Sergeev
address: CJSC Quantum
address: 21 n.r. Smolenka
address: Saint-Petersburg
address: Russia
phone: +7 812 327-6131
phone: +7 812 321-8801
phone: +7 812 321-8860
fax-no: +7 812 327-6131
e-mail: admin@quantum.ru
nic-hdl: MVS31-RIPE
notify: admin@quantum.ru
changed: admin@quantum.ru 19990327
source: RIPE

Ummmmmmmm....pass the tinfoil, Pieter.....

Although, this seems a little odd....

Domain name: MYSEARCHNOW.COM

Administrative Contact:

Live, Media webmaster@lop.com
Unit 12
571 Finchley Road
Hampstead
London, NW3 7BN
UK
+ 44 7817 130 743

This one is interesting........

Technical Contact, Zone Contact:

<a href="http://white-pages.com">Buy This Domain</a>
RN, WebReg
4200 Wisconsin Ave NW
Washington, DC 20016-2143
US
202-478-0990
202-478-0990 [fax]
brokerage@buydomains.com

hmmm.......

Registrant:

Asher Nahmias
TA-DOAR: 2273
Ashdod, il 77122
IL

Registrar: DOTSTER
Domain Name: JETSEEKER.COM
Created on: 26-NOV-02
Expires on: 26-NOV-04
Last Updated on: 01-JUL-03

DolfTraanberg · #25 July 30th, 2003, 03:41 PM

Well, looks like a nice job for Ethereal, if I ever get my hands on those files....

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search