Openme.exe trojan

Discussion in 'malware problems & news' started by TonyKlein, Feb 24, 2002.

Thread Status:
Not open for further replies.
  1. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Lately,  I've seen a number of similar cases present itself regarding some trojan starting up from the System.ini, editing the Shell= line to read shell=explorer.exe openme.exe

    We've been using StartLog by Rmbox as a very useful tool to troubleshoot startup problems and detecting trojans, but it only works with Win95, 98 and ME.

    What about XP?  Anything much known about all the possible startup locations there?

    And from where would this openme.exe thing start up in XP?
    I've seen two cases of people running XP that had this trojan, and who were unable to determine from where it started up.

    I'm running Win 98SE myself, so I'm really at a loss.

    Anyone able to shed some light on this issue?
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Tony,

    Although not designed for XP, you might play around with TrojanCheck - a little but very nice freeware app we helped developping in the past. You can grab a copy from our downloads page:

    www.wilders.org/downloads.htm

    Some remarks:

    - forget about the anti-trojan engine (outdated);
    - it's been known to produce one false positive on XP:
     shadow.exe -  belonging to XP.

    No guarantees here, since as stated it's not designed for XP. Nevertheless, it might come in very helpfull.

    Keep us posted.

    regards.

    paul
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Thanks Paul,

    What I was really looking for, however, is a neat list of *all* possible startup locations in XP,  something like what has been done for Win98.

    As a matter of fact I seem to remember one of your posts called something like "All Known Autostart Methods".

    Do you still have a link to that one?

    And is some of that appliccable to XP?

    Thanks!  Tony
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Apart from the usual registry keys under HKLM HKCU and HKUD -

    Run
    RunServices
    RunOnce

    It would start from the startup folder, or most likely the "marklord method"

    HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\<some key>\StubPath =

    or

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders - <some folder>, Windows runs the files in this folder
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Thank you, Gavin,

    That's most helpful, and I think with this we may be able to help people with XP to get rid of this and possibly other trojans by checking these locations, in case they didn't get a chance to run an antitrojan.

    Thanks again.


    Cheers,  Tony
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Tony - This may be the post from the old site that you were referring to: http://pub24.ezboard.com/fsecureyesecurityfrm2.showMessage?topicID=18.topic . Pete
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Hi spy1,

    That's the one I meant.

    Thanks!

    Cheers,  Tony
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    You're quite welcome. Pete
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,349
    Location:
    The Netherlands
    Meanwhile, we've been able to detect the trojan's startup location in Windows 2000:

    Its the Shell= line in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\current version\Winlogon

    The default value is "Shell"="Explorer.exe",  but the trojan modifies it.

    Should be helpful for XP as well.

    Thought I'd update this one.

    Greetz,  Tony
     
Loading...
Thread Status:
Not open for further replies.