Confused here. When I d/l winmain.exe and then click on the exe, I get no alert from WG - why is that? From the log: FILE: C:\WINDOWS\SYSTEM32\notepad.exe CLASS: Application PARAMS: FOLDER: C:\Documents and Settings\Pete Yevchak FILE EXECUTION - 11:44:38 07/30/2003 by user PETE YEVCHAK on computer COMPUTER --- FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winmain.zip CLASS: WinZip File PARAMS: FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop FILE EXECUTION - 11:52:13 07/30/2003 by user PETE YEVCHAK on computer COMPUTER --- FILE: C:\Documents and Settings\Pete Yevchak\Local Settings\Temp\winmain.exe PARAMS: FOLDER: FILE EXECUTION - 11:52:21 07/30/2003 by user PETE YEVCHAK on computer COMPUTER --- FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winlog.zip CLASS: WinZip File PARAMS: FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop FILE EXECUTION - 11:52:32 07/30/2003 by user PETE YEVCHAK on computer COMPUTER --- FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winmain.zip CLASS: WinZip File PARAMS: FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop FILE EXECUTION - 11:53:07 07/30/2003 by user PETE YEVCHAK on computer COMPUTER --- FILE: C:\unzipped\winmain\winmain.exe CLASS: Application PARAMS: FOLDER: C:\unzipped\winmain FILE EXECUTION - 11:53:53 07/30/2003 by user PETE YEVCHAK on computer COMPUTER --- FILE: C:\Defensive Tools\WormGuard\wguard.exe CLASS: Application PARAMS: FOLDER: C:\Defensive Tools\WormGuard FILE EXECUTION - 11:55:06 07/30/2003 by user PETE YEVCHAK on computer COMPUTER --- FILE: C:\Defensive Tools\wguard.log CLASS: Text Document PARAMS: FOLDER: C:\Defensive Tools FILE EXECUTION - 11:55:44 07/30/2003 by user PETE YEVCHAK on computer COMPUTER And, yes, I do have the dot in the button in front of "Display a messagebox regarding the block" activated . Did the thing execute or not? Why didn't I get an alert? HTA is in the "Blocked Filetypes" Blocking Editor, "Deep-Search files" is checked and the "Test" button is telling me WG is working. I didn't even get the question box from WG asking me what to do with the file What gives? Pete
From what I have understood :winmain.exe starts MSHTA.EXE which enables any hta script to be executed. So there is no hostile code in winmain.exe Dolf
Oh, yeah - right at the moment I have three instances of mshta.exe running! lol! Woe is me! This isn't particularly striking me as being "protected" by WormGuard, guys. Pete
Hey Pete, I agree with Dolf, here. Though I have not studied this issue in any depth, I believe that all the WinMain does, as Dolf mentioned, is to ensure that MSHTA is up all the time and ready to handle any (perhaps dubious) request. WG is not intended to keep MSHTA disabled, or to warn when it starts but it *is* supposed to protect you from any hta scripts you encounter. Have you tried this? Given this issue, I would expect someone to set up a test page that would allow you to see if a test HTA sploit would get through your defenses. I don't know of any yet but it might be worthwhile to look for. (If you find one let us know! ) Dan
I think my file associations are all screwed up. Would re-installing WG re-associate the files that are suppoedly being watched by WG with WG? Pete
mmmm, not sure if I understand you right. Regarding the OS file associations, WG is not involved at all (at least it isn't on my machine ) . The hook handles everything. Or did you mean something in the WG interface?
Dan look here https://www.wilderssecurity.com/showthread.php?t=11852;start=msg76613#msg76613 it's supposed to be harmless Dolf
Lol, I haven't got that far down in the forum yet! Awesome, Dolf! You get a karma cookie for that one! Thanks
The only way I could get WG to alarm on the htanotepad.hta file was to directly associate HTA files with the wormguard.exe
Something is wrong then, I just doublechecked my associations for HTA in particular and it is associated normally with mshta; yet if I run the hta file that Dolf provided I get the WG raspberry. Are you sure you have .hta listed in the "Blocked File Types" list in WG? If so, maybe a reinstall of WG is warranted then
Yes, HTA is listed (read my post up yonder). Directly associating HTA with the WG exe was also the only way I could get WG to alert on the "OpenPorts.hta" file that Jason Levine put up on the DSLR thread, here: http://www.dslreports.com/forum/remark,7532389~root=security,1~mode=flat;start=0
Of course, that brings up the question - why - even though WG blocked it - wasn't i given the opportunity to tell WG what to do with the file? I am the administrator and running in my own profile. Crap. Pete
Anything you have listed in the Blocked section is blocked outright with no mediation. If you remove the .hta extention from the blocked list the normal WG protection is still evident. For instance, after removing .hta from my blocked file list I doubleclicked on the .hta file and got this warning from WG Risk Assessment: Medium *> Script Analysis: Security risks detected. WormGuard Script Analysis: > Access to .hta file(s) > Accesses the file system. > Opens text file(s) for reading. > Writes data to file(s). > Creates text file(s). followed by the body of the script. Since whatever is hindering the proper blocking of hta is probably impacting the other "blocked" settings I would recommend that you de-activate protection, uninstall and then reinstall and re-activate.
Well, that's the $10,000 question, really. It's heavily coded. However, here's some interesting info Spywareinfo's mjc found in the decoded file: