Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: Trojans using forbidden file names
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Trojans using forbidden file names
 Post Reply Post Reply Page  12>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		Post Options Post Options   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Topic: Trojans using forbidden file names
    Posted: 14 February 2008 at 7:57am
Thank you D4v3 for sharing this info.
Ring0 - the source of inspiration
Back to Top
D4v3 View Drop Down
Newbie
Newbie
Avatar

Joined: 18 December 2007
Location: Mexico
Online Status: Offline
Posts: 6 		Post Options Post Options   Quote D4v3 Quote  Post ReplyReply Direct Link To This Post Posted: 14 February 2008 at 4:02am
here is a VBS to remove this kind of pest, mainly found in USB pendrives =)
 
 
the description of the virus and the complete infection method (check system) spanish to english translation
 
 
 
 


Edited by D4v3 - 14 February 2008 at 11:43am
Back to Top
D4v3 View Drop Down
Newbie
Newbie
Avatar

Joined: 18 December 2007
Location: Mexico
Online Status: Offline
Posts: 6 		Post Options Post Options   Quote D4v3 Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 11:04pm
Originally posted by EP_X0FF


For example some USB flash trojan creates runauto.. directory and places itself inside. Such directory will be unaccessible for Explorer and for some AV's. Or trojan names its files as "lpt1", "com", "con".

If you have something like this, please send me PM :)
Thank you.
 
autorun.small (exe and source code included) sended check your pms, hope it helps.
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		Post Options Post Options   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 4:24pm
Yes, it is Win9x era compatibility reasons.
Ring0 - the source of inspiration
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 4:07pm
Nice 7.tmp moved to windir temp
On my 64 bit Vista Ultimate I still able to crash/confuse Windows Shell by using long file names, forbidden names, etc. Nothing new in Shell directory listing / file access algorithms. More to say - NTFS hard link causes unnecessary shell warnings (e.g. try to open Documents and Settings folder on Vista with Explorer).

Forbidden file names such as "lpt", "con", "com", folder names "..", "." is a 16 bit legacy and exist as I understand in compatibility reasons. Internally Windows is able to operate with such file system object through Native API routines and in some cases UNC.

All trojans can work in the same manner as on Windows XP for example. And AFAIK XP SP3 doesn't contains these shell changes so necessary for security.
The same is valid for SP2? So hell gates remain because of compatibility reasons.
Back to Top
fcukdat View Drop Down
Senior Member
Senior Member
Avatar

Joined: 02 September 2006
Location: United Kingdom
Online Status: Offline
Posts: 374 		Post Options Post Options   Quote fcukdat Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 11:42am
EP,
 
I have many working samples(droppers) that install Gromozon RK infection which incorperates the EFS service file.
 
Just to make sure i got gromozoned to the eyeballs againLOL
 
Dropper>>>
 
Amongst other nasty Gromozon infection components drops this 'lil beautyThumbs%20Up
HJT Entry-
O23 - Service: LogPrf - Unknown owner - \\?\C:\Program Files\Windows NT\aux.exe (file missing)
 
Space inserted in file title when copied using IceSword inorder to facilitate uploading to VT serviceWink
 
 
Grmozon had landed and is about to get expungedLOLLOL
 
 
 
 


Edited by fcukdat - 13 February 2008 at 12:14pm
___________
Ade Gill
Malwarebytes Researcher

Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		Post Options Post Options   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 3:46am
Originally posted by SystemPro

and what happens in 64bit?


On my 64 bit Vista Ultimate I still able to crash/confuse Windows Shell by using long file names, forbidden names, etc. Nothing new in Shell directory listing / file access algorithms. More to say - NTFS hard link causes unnecessary shell warnings (e.g. try to open Documents and Settings folder on Vista with Explorer).

Forbidden file names such as "lpt", "con", "com", folder names "..", "." is a 16 bit legacy and exist as I understand in compatibility reasons. Internally Windows is able to operate with such file system object through Native API routines and in some cases UNC.

All trojans can work in the same manner as on Windows XP for example. And AFAIK XP SP3 doesn't contains these shell changes so necessary for security.
Ring0 - the source of inspiration
Back to Top
Elite View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 April 2007
Location: United States
Online Status: Offline
Posts: 175 		Post Options Post Options   Quote Elite Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 2:04am
Originally posted by SystemPro

This is not a bug. This is limitations of Win32 API. I can tell, that such things will work even on Vista with SP1.
and what happens in 64bit?


Probably same thing.
4 > 1
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 1:48am
This is not a bug. This is limitations of Win32 API. I can tell, that such things will work even on Vista with SP1.
and what happens in 64bit?
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		Post Options Post Options   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 13 February 2008 at 1:38am
@SystemPro
I also wonder why Microsoft is not able to fix this bug to force companies to use legal methods.


This is not a bug. This is limitations of Win32 API. I can tell, that such things will work even on Vista with SP1.

@fcukdat
Yes, Gromozon was one of the such trojans, if you have "alive" samples it will be very good if you can share them with me.

@Elite
And additionally SecuROM creates a registry key with embedded nulls under the HKCU\Software\SecuROM. 


Edited by EP_X0FF - 13 February 2008 at 1:40am
Ring0 - the source of inspiration
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down