Unknown exploit - Boot.ini/Windows shares

Unknown exploit - Boot.ini/Windows shares
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Unknown exploit - Boot.ini/Windows shares Pieter van der Walt 02-20-2006
Posted by Pieter van der Walt on February 20, 2006, 5:05 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I have a situation currently where a company's network is under some
kind of attack.

- PC's boot.ini file gets overwritten, resets partition pointers to 0
- we have found in some cases the NTLDR gets deleted
- no virus signatures can find a problem despite running multiple AV
packages
- pc slows down, spontaneous reboot and after reboot boot.ini is
changed
- looks like it spreads via public shares - is there a way of forcibly
disabling network shares, i.e. through registry perhaps?


All windows updates have been done and ther symptoms are experienced on
windows nt, 2000 and xp machines.


We thought it may the W32.opaserv.k.worm but not that!!


Anyone who has come across similar experiences please let me know asap!


Thanks
P.



Posted by =?Utf-8?B?TWlsbyAoIE1TUFNTKQ== on February 20, 2006, 7:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Isolate the workstation or server try to simulate a random check ( bandwidth
spikes or a heuristic scope of logs and transmission where to and which one
among the PC is deliberately running at beyond of what is expected esp. off
office hours that bandwidth is controlled.



--
Milo
MSPSS - ESCA



Posted by David H. Lipman on February 20, 2006, 5:53 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| I have a situation currently where a company's network is under some
| kind of attack.
|
| - PC's boot.ini file gets overwritten, resets partition pointers to 0
| - we have found in some cases the NTLDR gets deleted
| - no virus signatures can find a problem despite running multiple AV
| packages
| - pc slows down, spontaneous reboot and after reboot boot.ini is
| changed
| - looks like it spreads via public shares - is there a way of forcibly
| disabling network shares, i.e. through registry perhaps?
|
| All windows updates have been done and ther symptoms are experienced on
| windows nt, 2000 and xp machines.
|
| We thought it may the W32.opaserv.k.worm but not that!!
|
| Anyone who has come across similar experiences please let me know asap!
|
| Thanks
| P.
|


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Stefan Kanthak on February 21, 2006, 3:57 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> I have a situation currently where a company's network is under some
> kind of attack.
>
> - PC's boot.ini file gets overwritten, resets partition pointers to 0
> - we have found in some cases the NTLDR gets deleted
> - no virus signatures can find a problem despite running multiple AV
> packages
> - pc slows down, spontaneous reboot and after reboot boot.ini is
> changed
> - looks like it spreads via public shares - is there a way of forcibly
> disabling network shares, i.e. through registry perhaps?

[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network]
"NoFileSharing"=dword:01
"NoPrintSharing"=dword:01

But (BIG BUT): if it's malware, how does it get administrative rights?
Your users have accounts with administrative or power user rights?

And when it's malware: get your backups and restore ALL systems, but don't
connect them to the network until you've removed ALL user accounts from
the administrators group or the power users and setup strong passwords for
all accounts!

BTW: virus scanners only detect known malware. You'll have to use other
measures when you really want to protect your network. Think of software
restriction policies for XP and only allow execution from %SystemRoot%
and beyond and %ProgramFiles% and beyond.

Stefan


Posted by Pieter van der Walt on February 22, 2006, 5:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Situation has been contained - and we now have expertise with tools
onsite... no exact explanation as to the exact cause yet...


>I have a situation currently where a company's network is under some
> kind of attack.
>
> - PC's boot.ini file gets overwritten, resets partition pointers to 0
> - we have found in some cases the NTLDR gets deleted
> - no virus signatures can find a problem despite running multiple AV
> packages
> - pc slows down, spontaneous reboot and after reboot boot.ini is
> changed
> - looks like it spreads via public shares - is there a way of forcibly
> disabling network shares, i.e. through registry perhaps?
>
>
> All windows updates have been done and ther symptoms are experienced on
> windows nt, 2000 and xp machines.
>
>
> We thought it may the W32.opaserv.k.worm but not that!!
>
>
> Anyone who has come across similar experiences please let me know asap!
>
>
> Thanks
> P.
>
>



Similar ThreadsPosted
Can't boot June 7, 2006, 9:02 pm
Boot propblem July 7, 2005, 10:32 pm
Boot Passwords December 21, 2005, 7:35 am
Unreliability of CD Boot. April 29, 2008, 3:58 am
PC won't boot up - LSASS.exe problem ??? March 29, 2007, 10:01 am
One Care - boot problem April 11, 2007, 12:38 am
Is proper boot sequence manageable? April 18, 2006, 11:48 am
Can I shut down process before it BSODS my boot up? October 22, 2006, 4:26 am
10% Off All ChicagoCon 2007 Boot Camps for MCPs!! August 30, 2007, 3:04 pm
RE: Best way to create clean Windows XP boot cd for running rootkit de November 20, 2005, 5:10 pm

The site map in XML format XML site map

Contact Us | Privacy Policy