B00ze/Empire  wrote in
news:m313uv$88c$1@dont-email.me: 

> Windows still ends-up running something, be it a PE file or
> Javascript, off the registry key. Some bug in the registry
> routines makes reading the key overwrite a return address or
> something? I'm afraid I'm not good enough to understand how that
> works (I program COBOL and did lots of Motorola assembler, but
> never coded on Windoze). To me it looks like Windoze really has a
> way to execute registry keys, I mean as a feature... 

It's running a PE file when it decodes into memory, and instead of 
asking the api to parse a header like it would on disk, it's pointing 
to the memory location instead. Nobody has ever said you couldn't pass 
control to something you loaded into memory. *hehehe*
 
>> Now, they don't have any choice in the matter. They can't deny
>> it's possible anymore. Someone had enough of their bull####. They
>> wrote and released a demonstration of it. This is one of those
>> cases where full disclosure is being used, because other methods
>> of making this issue known had failed. Full disclosure being a
>> viable, ITW sample; demonstrating that it works.
> 
> Watch them, they will wait until Windoze 12 to fix it. Microsoft
> is really slow sometimes...

I don't see any easy fix per say. But, they could fix regedit so that 
it can handle null and extended ascii registry entries. That would be 
very useful.
 
>> Good thing this particular sample isn't actually viral and is
>> only trying to steal some time from your browser. It could have
>> been written to do some serious damage and know, atleast for a
>> while, no automated AV/AM tool would be hunting for it. As it is,
>> any AV/AM tool that can scan for it, HAS BEEN RETOOLED to do it.
>> IE: additional code was added to their engines, not just a
>> definitions update. In order for them to detect and deal with
>> this. 
> 
> Good to know; thanks to you guys for having spread the word!

I'm retired Vx. :) This neat registry malware sample isn't my work.
 
> Found this: http://www.securiteam.com/securitynews/2CUQFS0S0S.html
> Pretty good for a 6k program! I suspect long hours coding...

Ayep. One minor thing though, it's not written in pascal. [g]
 
> Even reputable AV companies do this today. There was this study 
> advertised here recently, where one guy found that installing an 
> AntiVirus actually increased the attack surface of your PC because
> lots of AV have flaws in their designs. He says several companies,
> including one I recall, Kaspersky, just ignored him.

hehehehe... he has a point.
 
> Lol, indeed if all the program does is checksum files, especially
> if the checksums are stored in an easy to engineer format, then
> you extract the checksum routine and you can certify any files you
> want yourself. It's very hard to protect software. When I think
> about it I think the best way is to run several levels deep of
> crazy interpreters to hide the code. I'm not good enough at Math
> to think of anything else. Obfuscation is the best thing I know.

It's a cobbled together set of utilities actually. It uses multiple 
methods to try and detect unknown malware. It's change detection 
technology relies on checksum like files though. [g]
 

>> I didn't stop there though. I told him that his product would not
>> only fail to detect me or changes I might make, it'll fail to
>> remove me with his 'cure all' too. he wasn't saving enough
>> information about the files original state and my virus was a
>> prepender, something his software was really ill equipped to
>> handle. I went on to tell him that my virus could actually infect
>> his software and ride along it, infecting a machine as it pleased
>> and he would not only be a carrier, but he wouldn't be aware he
>> was carrying me. :-) 
> 
> Lol!

Well, it's a prepender. It *HAS TO* restore the host, preferrably to 
the very byte, before it can execute it. :) So... it stands to reason, 
most self checks/sanity checks are going to fail to find the changes; 
as when they're put into use, the file has been restored to perfect 
condition. [g]
 
> The first virus that hit me (on my Amiga) was VERY destructive, it
> proceeded deleting all the files on all disks, from newest to
> oldest. When I ran the file and the hard disks went full-busy for
> 3 minutes I knew something was wrong. "Viruses" have evolved so
> much since then... 

Well.. sort of. What you're describing sounds like a trojan. :)
Viruses replicate. Detonating a payload on the first run if the virus 
contains one is suicide for the virus. It wants to live. On your 
machine(s), on your friends machine(s), on your families machines(s), 
etc. 
 
>> His programs self check functions all failed to detect changes,
>> because my virus would clean itself from the host prior to
>> executing it, and put itself back when the host process(s) all
>> terminated. It was sitting in memory watching and waiting, like a
>> good little virus. minding it's manners. [g]
> 
> There might be ways to detect you've not been loaded with the
> system loader, I dont know enough about it to tell...

Ayep. One of my own fellow Vxers did it. They trapped my virus. As soon 
as it restored the host and tried to launch it, they terminated me. 
Walla; self clean. [g] An Aver who posted to alt.comp.virus took 
advantage of it too... lol, in a different way, but the result was the 
same. they were both able to trick my virus into cleaning the file 
being executed and not returning to it.
 


-- 
If you can read this, Thank a teacher.
If you're reading it in english, Thank a soldier!


--- NewsGate v1.0 gamma 2