Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Incident Response
From: Josh Little <josh () zombietango com>
Date: Thu, 01 Jul 2010 11:21:02 -0400

 On 7/1/2010 9:58 AM, Craig Freyman wrote:
Not a false positive. Someone used a nasty USB drive that had an
autorun virus on it. The autorun.inf had this in it:

l~-??A?<K??#?Ê??ed?ª?üXÜ??ÁüFl?æ?eëX?r?:M?à???Ñ?çs?Ç?Oü?EF??ëÓ??ÚÞÊN?d=?ú??[Y?????mÈm!Ã???çñvè?y?Êv_????É-/?Is?ù?,[
[autorun
;e???V
open=trikfx/spomenar.exe
;Þm÷?Ç
icon=%SystemRoot%\system32\SHELL32.dll,4
;X]doÝ??a
action=Open folder to view files using Windows Explorer
;?ëë$???µ]
shell\\open\\\command=trikfx/spomenar.exe
;Là?ÿÜ??Üü`ásáµ????Dþ?é'?µ??rm?ò?
shell\\explore\\command=trikfx/spomenar.exe
;??àg'æë?
useautoplay=1

VirusTotal for this file:
 http://www.virustotal.com/analisis/e22b8e9b4fbdb876904373e647306a3f0a8d2c5bbb50e708a87464c83c962dba-1277992532


So did your AV product block the AR script at runtime? If it did, you
will then need to verify that the exe did not run on the machine at any
time prior. Check things like the various Run and RunOnce keys in the
registry, the Windows Prefetch directory, etc. to see if any trace of
the named exe (spomenar.exe) exists, or even something similar. You may
also want to insert the drive into a Linux or Mac box (some system where
the exe won't run or be pulled automatically by AV from the drive) and
offload a copy of the exe. Since you have a VT report, you probably have
already done this. Submit that exe to someplace like Anubis, CWSandbox,
or ThreatExpert. See what these reports say about the immediate
activities of the binary after launch. You can then compare this
behavior to that seen in the historical record for the machine in
question. If the binary makes network calls at launch, see if the
machine in question has  made the same or similar calls in the past. If
you don't have something like Netflow in place, you could even try
looking in your DNS server's cache to see if a record exists if the
binary makes a call to a hostname instead of an IP.

Hope that helps.

Josh Little
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]