[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | PERSONAL COMPUTER SECURITY |
| Notice: | SWEEP servers Note 5; more info on www-is-security.mso.dec.com |
| Moderator: | BSS::BOREN |
|
| Created: | Wed Jan 02 1991 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 504 |
| Total number of notes: | 2905 |
498.0. "homerum.wav Trojan Horse - deltree c:*.* !!!" by FIREBL::LEEDS (From VAXinated to Alphaholic) Mon Apr 28 1997 18:58
My son downloaded a file to my home PC, which has the same destructive
affect as the AOL4FREE virus - it issues a "deltree /y c:\*.*" !!!!
The file was disguised as a "wav" file called "homerum.wav".
If you look at the file properties, it says it's a wav file, but the
details tab, where it normally shows media length and audio format said that
the file had a corrupt format.
If you type the file from DOS, after all the garbage, you can see the
deltree command near the end of the file.
When we double-clicked on it, instead of bringing up the sound player and
playing the wav sound, it pops up a window that issues a message that says
something about "installing", then it issues the "deltree /y c:\*.*" which
obviously wipes out the C drive.
After I recovered, I ran 4 different virus checkers against the file
(Norton, Sweep, F-PROT and Dr. Solomon), none of them identified this file
as containing a virus, Trojan Horse, etc....
The file actually came zipped, with a VBRUN300.DLL that unpacked into the
same directory - I suspect somehow it used the VBRUN to make W95 run it as a
program instead of treating it like a real wav file.
How do we protect against this in the future ??
Arlan
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 498.1 | Dangerous Environment | MINOTR::BANCROFT | | Mon May 05 1997 09:39 | 17 |
| As you state, this is a Trojan Horse, not a virus. It does not replicate
(spread by itself) the way a virus does.
The WAV form of file is not normally checked. You can set your checker
to check all file formats, but there is no assurance that any checker
looks for the DELTREE string. That would prevent anyone from ever
writing or filing a .TXT, .DOC, or whatever file with that in it (like
a copy of your NOTE). I am still trying to understand how the code in
the WAV file got executed. Any suggestions? I thought the contents of
a WAV file were used as data by the sound software.
This is one of the "Buyer beware" situations where we cannot reasonably
supply an automated solution. Obtaining ANYTHING which you execute on
your system, has a built in danger. You must either know and trust the
source, or be in danger.
The "bad guys" will always have the advantage here.
|
| 498.2 | | CANDOO::GRIEB | | Tue May 06 1997 12:22 | 21 |
|
> ..... I am still trying to understand how the code in
> the WAV file got executed. Any suggestions? I thought the contents of
> a WAV file were used as data by the sound software.
Go to a command prompt
Take any image that will do something dull like printf("hello")
rename the .exe to xxx.wav
type 'xxx.wav' at the command prompt
[The image will run]
This implies to me that the CreateProcesss() call just tries to run
ANY file it is given and that it is up to the "program launcher" (WINFILE,
Explorer, etc) to do any "associations" with a particular app. This means
that depending on what "program launch" mechanism is used <<ANY>> file
can be "run" (as in the above example where the command process is used
as a "program launcher").
|
| 498.3 | | TARKIN::LIN | Bill Lin | Wed May 07 1997 03:26 | 32 |
| re: .2 by CANDOO::GRIEB
Hi Terry,
> Go to a command prompt
> Take any image that will do something dull like printf("hello")
> rename the .exe to xxx.wav
> type 'xxx.wav' at the command prompt
>
> [The image will run]
I tried the above sequence on a typical Windows 95 machine's command
prompt using a valid executable file (pkz204g.exe) and renaming it to a
.WAV extension. I got the following error message:
Bad command or file name
It still looks like an unnatural act to try to execute a wav file
directly. I understand the possibility to use associations and program
launchers to get anything to "run" but that is almost always in
association with a different application that does the executing and
the launched object that becomes data for the application. To get .wav
to execute directly, it would have to be consciously changed to
something the operating system recognises as an executable type file
such as .exe and .com.
What kind of environment do you have that will accept 'xxx.wav' at the
command prompt?
Cheers,
Bill
|
| 498.4 | NT'll run it independent of extension | SMURF::PBECK | Paul Beck | Wed May 07 1997 14:42 | 5 |
| I just tried it at the NT command prompt with an innocuous DOS-mode EXE
file, copying the file to xxx.wav ... it ran when I specified xxx.wav as
a command at the C> prompt.
Don't have a W95 system handy to try.
|
| 498.5 | | TARKIN::LIN | Bill Lin | Wed May 07 1997 15:13 | 6 |
| re: .4 by SMURF::PBECK
Hey, cool! You're right. I hadn't bothered to try it on NT and yes
indeed it did do what you've all been saying...
Bill
|