Nomen Posted August 4, 2014 Share Posted August 4, 2014 According to this:http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-080408-5614-99Windows 9x/me is vulnerable to this exploit. Under the registry RUN keys, an entry is created where the name of the target is composed of encrypted javascript as well as using "non-ascii" characters (which renders the entry as invisible when viewed using standard tools such as regedit). Would msconfig show such entries - even if it just lists them on a separate blank line with nothing printed on it?Can Win-9x/me process javascript code present in the registry?Something else that has been said of this malware:"The non-ASCII trick is a tool Microsoft uses to hide its source code from being copied, but the feature was later cracked."So, how compatible is win-9x in terms of operability with this method of storing and running "mal-code" from the registry? Link to comment Share on other sites More sharing options...
submix8c Posted August 4, 2014 Share Posted August 4, 2014 ?That article clearly indicates it runs Powershell.http://en.wikipedia.org/wiki/Windows_PowerShellPowershell on a Win9x?Maybe that article is mistaken. Link to comment Share on other sites More sharing options...
Tripredacus Posted August 5, 2014 Share Posted August 5, 2014 Well, I wonder about the ability of using rundll32.exe to execute JavaScript via CMD. A poc was posted on facebook which apparently will open calculator. However if worried, test in a VM: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script>"+(new%20ActiveXObject("WScript.Shell")).Run("calc")) If it does work, it would be possible to have a half-way installed virus on the system.... presuming .NET Framework and Powershell add-ons do not exist for Win9x. Link to comment Share on other sites More sharing options...
M()zart Posted August 6, 2014 Share Posted August 6, 2014 presuming .NET Framework and Powershell add-ons do not exist for Win9x. .NET Framework exists for Win9x up to .NET Framework 2.0 (without SPs). Link to comment Share on other sites More sharing options...
MrJinje Posted August 6, 2014 Share Posted August 6, 2014 I guess you could run powershell from the registry as base64 gzip encoded blobs via system.io.memorystream. Maybe throw some encryption on top of that, rename the key with unicode characters and we have a powershell only version of this hack. or am I missing something, is javascript really needed ? Link to comment Share on other sites More sharing options...
Tripredacus Posted August 6, 2014 Share Posted August 6, 2014 I don't think it is. Whoever wrote this particular delivery method merely found that it is possible to execute javascript via rundll32.exe and used it as the infection vector. The run-down on the link show it as such, after the javascript is executed (and minimum requirements are met) then the payload is delivered. That seems to be the only function of the javascript, and everything afterwards is handled with whatever the payload is and .NET and Powershell. However, note the exploit uses mshtml to create an ActiveX object. If you were to disable ActiveX in IE, would this then fail or are those things in Internet Options only used when iexplore.exe is running? Link to comment Share on other sites More sharing options...
submix8c Posted August 6, 2014 Share Posted August 6, 2014 Hey, I've got a great idea. We already know that .NET can be installed, so someone go ahead and install Powershell in a Win98SE and see if it works. Wouldn't that settle the issue? Link to comment Share on other sites More sharing options...
MrJinje Posted August 6, 2014 Share Posted August 6, 2014 (edited) Here is a more interesting read on the subject. http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/ EDIT: https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html Edited August 8, 2014 by MrJinje Link to comment Share on other sites More sharing options...
dencorso Posted August 6, 2014 Share Posted August 6, 2014 Hey, I've got a great idea. We already know that .NET can be installed, so someone go ahead and install Powershell in a Win98SE and see if it works. Wouldn't that settle the issue? Sure. And I bet Powershell 1.0 does not run in native 9x/ME. Perhaps it does run, sort of, under KernellEx, but even if it does, I doubt there's even one user with Powershell installed in 9x/ME, or we'd already have heard about it here... Here is a more interesting read on the subject. http://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/ Good to see you here, Mr. Jinje! And, BTW, do y'all remember RegDelNull? Link to comment Share on other sites More sharing options...
submix8c Posted August 6, 2014 Share Posted August 6, 2014 (edited) Thx, exactly my point! Maybe that article is mistaken. So Nomen, the answer is -no- don't worry about it as the article clearly states that in order to function it -needs- both .NET -and- Powershell even if the registry stuff works, downloading ?what? to install and run. IOW, it won't even work on 9X/ME OS. Symantec flys away on nonsense... Edited August 6, 2014 by submix8c Link to comment Share on other sites More sharing options...
Guest Posted August 6, 2014 Share Posted August 6, 2014 The malware downloads PowerShell if it's not already installed. Link to comment Share on other sites More sharing options...
dencorso Posted August 6, 2014 Share Posted August 6, 2014 Yes. I understand that. But... AFAIK, Powershell does NOT *itself* work on 9x/ME, that's my point.You see: 9x/ME support ended on Jul 11, 2006... while PowerShell was initially launched Nov 14, 2006... so, at least officially, it surely wasn't ever meant to work on 9x/ME. This being so, I'm pretty sure if nobody ever posted about PowerShell on 9x/ME (and that *is* the case) means nobody ever even unofficially has managed to have it run on 9x/ME. Link to comment Share on other sites More sharing options...
submix8c Posted August 7, 2014 Share Posted August 7, 2014 ...and that was -my- initial point. The Symantec page has to be erroneous. It will not "infect" a 9x/ME machine AFAICT.Next, the Trojan decrypts a PowerShell script from its encrypted JavaScript. It runs this Powershell script to execute a binary program.How can it run a Powershell script without Powershell? or is it just me? Link to comment Share on other sites More sharing options...
Tripredacus Posted August 7, 2014 Share Posted August 7, 2014 Well it would still be a partial infection. I had a similar case where some AOL IM virus was on my Win98 PC... The initial infection did occur, however the virus would not function properly because AOL IM was not installed. All it did was fill up my HDD with text files with errors in them.Now, Symantec could clarify what the behaviour would be like if a Win9x was infected with this. Maybe it would show an error because Powershell isn't installed or doesn't work, or maybe it will just make text files until you run out of hard disk space. Link to comment Share on other sites More sharing options...
dencorso Posted August 7, 2014 Share Posted August 7, 2014 Be as it may, RegDelNull will find and, if told so, get rid of the so-called "undeletable" registry entry, so it cleans the partial infection. And, BTW, do y'all remember RegDelNull? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now