Comments - Suggestions Plz

Discussion in 'WormGuard' started by C05, Jan 12, 2004.

Thread Status:
Not open for further replies.
  1. C05

    C05 Registered Member

    Joined:
    Jan 11, 2004
    Posts:
    5
    First I hope I'm doing this in the right forum and not having a need to dbl post in the Nod Forum as well.

    Ok. I am running Wormguard (Demo) - and TDS-3 (Demo) with purchased Nod32

    I also opted to run DiamondCS Regprot. today

    Well not good - I had a HKEY ROOT file actually

    HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command\ popped up in the RegProt .

    Now I'm somewhat concerned by this as my understanding is wormguard was to have caught this as it is a worm or at least classified as a worm by Symantec back in 2002

    Also because I'm running Nod32 I was also under the impression that this worm should have been caught in the scan. My settings are deep / all files / and I set the heuristics to maximum. running both IMON and AMON.

    I'm not passing judgement yet as this could be a case of Operator error. So I'm looking for some guidance and assistance from those a bit wiser then me when dealing with these issues.

    First off how did it come in - friend - family - email as I check the reg it shows it listed in the \Software\Microsoft\InternetExplorer\ExplorerBars\

    something called win32.pops

    Looking forward to the help.

    Thanks
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi C05,

    The information you provided doesn't seem totally complete. First of all, you listed the registry key: "HKEY_CLASSES_ROOT \ VBSFile \ Shell \ Open \ Command \" which is a valid key to be present in the registry. The issue may well be what is defined in it, not that it exists. The image below is from Regedit on my XP system, which shows that I have ScriptSentry linked there, which is another script checker though not nearly as powerful as Wormguard.

    Second, you listed another registry key (though the upper level isn't specified here): "? \ Software \ Microsoft \ InternetExplorer \ ExplorerBars\". What's in that key for a value? What's the top part of that key (HKEY_LOCAL_MACHINE maybe)?

    How exactly are you looking this up at the Symantec site in order to determine that it might be a worm? I'm thinking that with more information here we may find that it isn't a worm at all. (Though certainly it could be, we just don't have all the data posted here yet.)
     

    Attached Files:

  3. C05

    C05 Registered Member

    Joined:
    Jan 11, 2004
    Posts:
    5
    My apologies LowWaterMark

    Here is the appropriate information I think that will help solve the puzzle.

    I looked up the following in Google
    HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command\

    And I checked this link
    http://securityresponse.symantec.com/avcenter/venc/data/w32.pops.html

    I then went to regedit and searched for Janis and found
    Pass.on
    BetLog.bin
    Janis
    Sex.com

    it was located in My Computer\HKEY_USERS\misc numbers letters\Software\Microsoft\Internet Explorer\Explorer Bars\ {MiscNumbers and letters
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    The registry key in question is related to telling Windows HOW to run files with the extension .VBS. By default this is to use Windows Scripting Technology, and this is inherently dangerous - so RegProt shows you what is being used to handle these files.

    Most users have no need to be able to run VBS files, and should modify the handler to be NOTEPAD.EXE %1

    This means when you double click a VBS file it will simply open in notepad. You probably wont EVER see this happen unless you use VBS files for advanced operations. Even then, most admins prefer PERL scripts :)
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi All,

    I'm kinda confused, what was it that was leading you (C05) to believe that this is a recent infestation (if in fact it is an infestation). As Gavin pointed out, RegProt will show the VBS open key by default when it runs (and this key setting is the Windows default as he mentioned.

    It may be that the other keys are dregs of a previous infestation that is no longer active

    Perhaps you can post a ASViewer log? That might help us see what is going on. Please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Thanks
     
  6. C05

    C05 Registered Member

    Joined:
    Jan 11, 2004
    Posts:
    5
    I think being that this was found should be some form of evidence that something was residing on the box. To much focus is being directed away from the main subject matter of what I'm seeking which is shouldnt worm guard have caught it?

    The comment above is regarding something that popped up when I installed regport. The box was a clean box as updates for the OS was done after I installed TDS3 and Worm Guard after Nod32

    Now granted I didnt do the update to Nod32 right away. But after several updates to MS and some additional tools from the analogx site I did the update and went about my business for several weeks.

    After installing regprot I had several items pop up that I could justify, then the system was up everything was loaded and I'm in MS Word and up pops the regprot with the HKEY Root info.

    Now all I'm asking is how did it get past wormguard?
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    C05

    I see no evidence that anything got past Wormguard. It might possibly be the case that something has, but there is nothing in what I understood you to write that would indicate it. This is why I was trying to get some clarification and more info so we can determine what, if anything, happened.

    Regards,

    Dan
     
  8. C05

    C05 Registered Member

    Joined:
    Jan 11, 2004
    Posts:
    5
    Thanks for your patience Dan. This has been a learning experience. I learned a few things and hopefully will be able to provide the info next time around.

    Thanks for the zip file.

    As for the box in question - going through a restore. Gonna reload Nod/Wormguard/TDS-3 then do the winupdates/ then drop regprot.

    Had a sit down with my son and found a few things out that was mentioned about a previous infection.

    Thank you for your patience in dealing with my somewhat impatient writing, and lack of knowledge.
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Oh! No Worries at all!,

    I know well enough how stressful it is to deal with these sorts of things. Please don't hesitate to ask additional questions whenever the situation warrants.

    Warm Regards,

    Dan
     
Thread Status:
Not open for further replies.