Why no alert on winmain.exe f/WG?

Discussion in 'WormGuard' started by spy1, Jul 30, 2003.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Confused here.

    When I d/l winmain.exe and then click on the exe, I get no alert from WG - why is that?

    From the log:

    FILE: C:\WINDOWS\SYSTEM32\notepad.exe
    CLASS: Application
    PARAMS:
    FOLDER: C:\Documents and Settings\Pete Yevchak
    FILE EXECUTION - 11:44:38 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
    ---
    FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winmain.zip
    CLASS: WinZip File
    PARAMS:
    FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop
    FILE EXECUTION - 11:52:13 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
    ---
    FILE: C:\Documents and Settings\Pete Yevchak\Local Settings\Temp\winmain.exe
    PARAMS:
    FOLDER:
    FILE EXECUTION - 11:52:21 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
    ---
    FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winlog.zip
    CLASS: WinZip File
    PARAMS:
    FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop
    FILE EXECUTION - 11:52:32 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
    ---
    FILE: C:\Documents and Settings\Pete Yevchak\Desktop\winmain.zip
    CLASS: WinZip File
    PARAMS:
    FOLDER: C:\Documents and Settings\Pete Yevchak\Desktop
    FILE EXECUTION - 11:53:07 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
    ---
    FILE: C:\unzipped\winmain\winmain.exe
    CLASS: Application
    PARAMS:
    FOLDER: C:\unzipped\winmain
    FILE EXECUTION - 11:53:53 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
    ---
    FILE: C:\Defensive Tools\WormGuard\wguard.exe
    CLASS: Application
    PARAMS:
    FOLDER: C:\Defensive Tools\WormGuard
    FILE EXECUTION - 11:55:06 07/30/2003 by user PETE YEVCHAK on computer COMPUTER
    ---
    FILE: C:\Defensive Tools\wguard.log
    CLASS: Text Document
    PARAMS:
    FOLDER: C:\Defensive Tools
    FILE EXECUTION - 11:55:44 07/30/2003 by user PETE YEVCHAK on computer COMPUTER

    And, yes, I do have the dot in the button in front of "Display a messagebox regarding the block" activated .

    Did the thing execute or not?

    Why didn't I get an alert?

    HTA is in the "Blocked Filetypes" Blocking Editor, "Deep-Search files" is checked and the "Test" button is telling me WG is working.

    I didn't even get the question box from WG asking me what to do with the fileo_O

    What gives?

    Pete
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    From what I have understood :winmain.exe starts MSHTA.EXE which enables any hta script to be executed.
    So there is no hostile code in winmain.exe
    Dolf
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Oh, yeah - right at the moment I have three instances of mshta.exe running!

    lol!

    Woe is me!

    This isn't particularly striking me as being "protected" by WormGuard, guys. Pete
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    hmm, have you tried to load that htanotepad.hta ?
    Dolf
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yeah. What was i supposed to have saved it as? An hta file? Or a text file? Pete
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    yes : .hta
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey Pete,

    I agree with Dolf, here. Though I have not studied this issue in any depth, I believe that all the WinMain does, as Dolf mentioned, is to ensure that MSHTA is up all the time and ready to handle any (perhaps dubious) request. WG is not intended to keep MSHTA disabled, or to warn when it starts but it *is* supposed to protect you from any hta scripts you encounter. Have you tried this? Given this issue, I would expect someone to set up a test page that would allow you to see if a test HTA sploit would get through your defenses. I don't know of any yet but it might be worthwhile to look for. (If you find one let us know! :) )

    Dan
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I think my file associations are all screwed up.

    Would re-installing WG re-associate the files that are suppoedly being watched by WG with WG? Pete
     
  9. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    blocked list of WG
     

    Attached Files:

  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    mmmm, not sure if I understand you right. Regarding the OS file associations, WG is not involved at all (at least it isn't on my machine :eek: :D ) . The hook handles everything. Or did you mean something in the WG interface?
     
  11. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Lol, I haven't got that far down in the forum yet!

    Awesome, Dolf! You get a karma cookie for that one!

    Thanks
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    The only way I could get WG to alarm on the htanotepad.hta file was to directly associate HTA files with the wormguard.exe
     

    Attached Files:

  14. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    no need to have a file assosiation.
    You have Protection enabled in WG?
    Seen screenshot above ?
     
  15. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Something is wrong then, I just doublechecked my associations for HTA in particular and it is associated normally with mshta; yet if I run the hta file that Dolf provided I get the WG raspberry.

    Are you sure you have .hta listed in the "Blocked File Types" list in WG? If so, maybe a reinstall of WG is warranted then o_O
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC

    Attached Files:

  17. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Of course, that brings up the question - why - even though WG blocked it - wasn't i given the opportunity to tell WG what to do with the file?

    I am the administrator and running in my own profile.

    Crap. Pete
     
  18. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Anything you have listed in the Blocked section is blocked outright with no mediation. If you remove the .hta extention from the blocked list the normal WG protection is still evident. For instance, after removing .hta from my blocked file list I doubleclicked on the .hta file and got this warning from WG

    Risk Assessment: Medium

    *> Script Analysis: Security risks detected.
    WormGuard Script Analysis:

    > Access to .hta file(s)
    > Accesses the file system.
    > Opens text file(s) for reading.
    > Writes data to file(s).
    > Creates text file(s).

    followed by the body of the script.

    Since whatever is hindering the proper blocking of hta is probably impacting the other "blocked" settings I would recommend that you de-activate protection, uninstall and then reinstall and re-activate.
     
  19. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    You CAN have a choice!

    From the WG Helpfile:
     

    Attached Files:

  20. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Looks familiar ??
     

    Attached Files:

  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    More exactly, this particular winmain.exe starts MSHTA.EXE which calls a c:\winlog.html file.
     
  22. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
  23. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Thanks for the explanation Tony
    What does win.html do ?
    Dolf
     
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well, that's the $10,000 question, really.

    It's heavily coded.

    However, here's some interesting info Spywareinfo's mjc found in the decoded file:

     
  25. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Well, looks like a nice job for Ethereal, if I ever get my hands on those files....
     
Thread Status:
Not open for further replies.