Rbot Registry Keys

GovernmentSecurity.org > System Security > Windows Systems

kbnet

Aug 1 2005, 02:58 PM

Here is an example of a registry key which is set by Rbots.

HKCU\Software\Microsoft\OLE\Microsoft Update 32 = "<filename>"

Now this is not one of the common registry runkeys, so when does the file actually get executed?

iam

Aug 1 2005, 03:05 PM

QUOTE(kbnet @ Aug 1 2005, 03:58 PM)

At a complete guess, when you run Windows Update or perhaps when Auto Updates go to work?

kbnet

Aug 1 2005, 03:11 PM

HKCU\Software\Microsoft\OLE\<any string value>\<data>

Its not specific to windows update, i just meant that as an example. That is just a generated string value. Cheers tho.

iam

Aug 1 2005, 03:15 PM

QUOTE(kbnet @ Aug 1 2005, 04:11 PM)

HKCU\Software\Microsoft\OLE\<any string value>\<data>

Its not specific to windows update. That is just a generated string value. Cheers tho.

So do you know yourself?

I could hazard at another guess, but I think I'll leave it for somebody who actually knows

kbnet

Aug 1 2005, 03:23 PM

QUOTE

So do you know yourself?

If i knew i wudnt b asking. Is any1 able to tell me for sure? Google aint much help with this one.

kbnet

Aug 1 2005, 03:43 PM

Ok, heres some more details:

http://msdn.microsoft.com/library/default....0a490390426.asp

As can be seen there are default named values. But it doesnt mention anything about putting in your own keys and getting files to execute. Has this key be used incorrectly
by the author of the Rbot in belief that it actually executes?

cowsonfire

Aug 1 2005, 01:29 PM

that key was in rbot to disable dcom (the EnableDCOM setting) as part of the secure function, some idiot that got ahold of the bot probably didnt know what he was doing and thought it was another autostart key

kbnet

Aug 1 2005, 01:34 PM

Yeah, ive been looking for info for a bit now and I cant see any reason why someone would set a key like it. I just found it strange because it has also set the "EnableDCOM" to 'N'. Like u say tho, it probably is someone who hasnt got a clue what they are doing, certainly makes the most sense as i cant find any other answer to why this would be done unless it was to be used as an infection marker (again would be a strange thing to do tho as it would not be very subtle but its a possibility).
Cheers.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Rbot Registry Keys GovernmentSecurity.org > System Security > Windows Systems kbnet Aug 1 2005, 02:58 PM Here is an example of a registry key which is set by Rbots. HKCU\Software\Microsoft\OLE\Microsoft Update 32 = "<filename>" Now this is not one of the common registry runkeys, so when does the file actually get executed? iam Aug 1 2005, 03:05 PM QUOTE(kbnet @ Aug 1 2005, 03:58 PM) Here is an example of a registry key which is set by Rbots. HKCU\Software\Microsoft\OLE\Microsoft Update 32 = "<filename>" Now this is not one of the common registry runkeys, so when does the file actually get executed? At a complete guess, when you run Windows Update or perhaps when Auto Updates go to work? kbnet Aug 1 2005, 03:11 PM HKCU\Software\Microsoft\OLE\<any string value>\<data> Its not specific to windows update, i just meant that as an example. That is just a generated string value. Cheers tho. iam Aug 1 2005, 03:15 PM QUOTE(kbnet @ Aug 1 2005, 04:11 PM) HKCU\Software\Microsoft\OLE\<any string value>\<data> Its not specific to windows update. That is just a generated string value. Cheers tho. So do you know yourself? I could hazard at another guess, but I think I'll leave it for somebody who actually knows kbnet Aug 1 2005, 03:23 PM QUOTE So do you know yourself? If i knew i wudnt b asking. Is any1 able to tell me for sure? Google aint much help with this one. kbnet Aug 1 2005, 03:43 PM Ok, heres some more details: http://msdn.microsoft.com/library/default....0a490390426.asp As can be seen there are default named values. But it doesnt mention anything about putting in your own keys and getting files to execute. Has this key be used incorrectly by the author of the Rbot in belief that it actually executes? cowsonfire Aug 1 2005, 01:29 PM that key was in rbot to disable dcom (the EnableDCOM setting) as part of the secure function, some idiot that got ahold of the bot probably didnt know what he was doing and thought it was another autostart key kbnet Aug 1 2005, 01:34 PM Yeah, ive been looking for info for a bit now and I cant see any reason why someone would set a key like it. I just found it strange because it has also set the "EnableDCOM" to 'N'. Like u say tho, it probably is someone who hasnt got a clue what they are doing, certainly makes the most sense as i cant find any other answer to why this would be done unless it was to be used as an infection marker (again would be a strange thing to do tho as it would not be very subtle but its a possibility). Cheers. This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.