Thread: Microsoft Security Bulletin MS06-040
View Single Post
  #6 (permalink)  
Old 08-13-2006, 09:49 AM
Detector's Avatar
Detector Detector is offline
DodgeBoard Commissioner
  

Join Date: Oct 2005
Posts: 2,696
Casino Cash: $52907
Disagrees: 0
Disagreed With 12 Times in 9 Posts
Agreed With Other Posts: 71
Members Agreed 154 Times in 64 Posts
MSSPOOL? I know it(Hacktool) replaces CMD's to obtain administrative privileges.

Hacktool.Privshell replaces a known system service with itself.

The common usage would be to replace the Spoolsv.exe file in the System directory with the hacktool program.

Once the hacktool has replaced the known system service, it will create a cmdshell with Administrative privileges.

Another possible cause could be during the update MSSPOOL was damaged and then detected as a virus. Often when an antvirus detects a unidentified file(possible virus) it searches it's database and finds the closes matching virus.

Could well be you already had been hit by the server services code. They said as early as Wednesday the code was posted to the Internet and a worm could already be circulating. It replaced your msspool.exe(a server service) and caused the error, then your antivirus picked it up. Unfortunately, Norton is one of the antivirus programs that did not detect this new code.

Here is the results


Scan results
File: wgareg.exe
Date: 08/13/2006 03:03:43 (CET)
----
AntiVir 6.35.1.0/20060812 found [HEUR/Crypted.Layered]
Authentium 4.93.8/20060812 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
Avast 4.7.844.0/20060810 found nothing
AVG 386/20060811 found nothing
BitDefender 7.2/20060813 found [Generic.Malware.IXdld.658BDD6B]
CAT-QuickHeal 8.00/20060812 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060813 found nothing
DrWeb 4.33/20060812 found nothing
eTrust-InoculateIT 23.72.94/20060812 found nothing
eTrust-Vet 30.3.3012/20060811 found nothing
Ewido 4.0/20060812 found nothing
Fortinet 2.77.0.0/20060812 found nothing
F-Prot 3.16f/20060811 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
F-Prot4 4.2.1.29/20060811 found [W32/Threat-HLLIM-based!Maximus]
Ikarus 0.2.65.0/20060811 found nothing
Kaspersky 4.0.2.24/20060813 found nothing
McAfee 4827/20060811 found nothing
Microsoft 1.1508/20060804 found nothing
NOD32v2 1.1704/20060811 found [a variant of Win32/IRCBot.OO]
Norman 5.90.23/20060811 found [W32/Suspicious_M.gen]
Panda 9.0.0.4/20060812 found [Suspicious file]
Sophos 4.08.0/20060812 found nothing
Symantec 8.0/20060813 found nothing
TheHacker 5.9.8.190/20060810 found nothing
UNA 1.83/20060811 found nothing
VBA32 3.11.0/20060811 found nothing
VirusBuster 4.3.7:9/20060812 found nothing

From Andreas analysis:
[1] The exploit might also have entered using some java "hole", since I found a trace in ..\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ with a handful of highly suspicious .jar and .zip files.
<?XML:NAMESPACE PREFIX = O /><O:P _moz-userdefined=""></O:P>
<O:P _moz-userdefined=""></O:P>[2] C:\WINNT\NT contained a file named NRCS.EXE, 25,185 bytes in length.<O:P _moz-userdefined=""></O:P>

[3] C:\WINNT\Debug contained a file named dcpromo.log.

[4] Found malicious registry keys in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_WGAVM

YOU CANNOT EVEN DELETE THOSE IN SAFE MODE!


You can try my Intrusion Detection program to see if ports 135-139 & 445 are being active.

http://www.detectorsplace.com/files/itools.zip
__________________
The real treasure is in the hunt...
Last edited by Detector; 08-13-2006 at 03:50 PM..
Reply With Quote