Information to Help Track Down Infections From WGAREG.EXE
From Andreas analysis:
[1] The exploit might also have entered using some java "hole", since I found a trace in ..\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ with a handful of highly suspicious .jar and .zip files.
[3] C:\WINNT\Debug contained a file named dcpromo.log.
[4] Found malicious registry keys in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WGAVM
YOU CANNOT EVEN DELETE THOSE IN SAFE MODE!
See information below for a method to remove these keys.[5] NOD32v2.......1.1704/20060811....found [a variant of Win32/IRCBot.OO]
[6] The malicious program disguised as a .jpg in C:\Documents and Settings\Default User\Temporary Internet Files\Content.IE5\<some random folder>.
Cuebot-K is believed to be spreading through AIM or AOL neither of which he has installed.
Updated
Again Andreas has provided us with some terrific information. He has figured out how to remove the registry keys. Here is his information.
1. Use REGEDT32, *not* regedit!2. Check current real time. Supposed it's 16:30.
3. In DOS prompt:
at 16:31 /interactive regedt32.exe
This will - after 1 minute - open regedt32.exe with SYSTEM rights!!! (yes there is something _more_ powerful than an Administrator in Windows). And automagically - the keys can be violently deleted.
As an alternate, you can open the registry editor with "administrator" rights and then give yourself "full control" on the registry key in question. By default, the keys under CurrentControlSet\Enum are accessible only to the all-powerful SYSTEM user, but this is for good reason. Delete or change the wrong key under \Enum, and your Windows installation will turn into an inert heap of bytes. So tread carefully!
Comments