Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Information to Help Track Down Infections From WGAREG.EXE SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Information to Help Track Down Infections From WGAREG.EXE
Many thanks to Andreas, one of our readers from Germany.  He has provided us with the results of his research and where he found tracks left by the install.  He has agreed to allow us to share the information with our readers.

From Andreas analysis:

[1] The exploit might also have entered using some java "hole", since I found a trace in ..\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ with a handful of highly suspicious .jar and .zip files.

[2] C:\WINNT\NT contained a file named NRCS.EXE, 25,185 bytes in length.

[3] C:\WINNT\Debug contained a file named dcpromo.log.

[4] Found malicious registry keys in:



See information below for a method to remove these keys.

[5] NOD32v2.......1.1704/20060811....found [a variant of Win32/IRCBot.OO]

[6] The malicious program disguised as a .jpg in C:\Documents and Settings\Default User\Temporary Internet Files\Content.IE5\<some random folder>.

According to Andreas it has behavior very close to CUEBOT-K.

Sophos Cuebot-K

Cuebot-K is believed to be spreading through AIM or AOL neither of which he has installed. 

We hope this will give you some places to look for the tracks of this new malicious program.


Again Andreas has provided us with some terrific information. He has figured out how to remove the registry keys. Here is his information.

1. Use REGEDT32, *not* regedit!

2. Check current real time. Supposed it's 16:30.

3. In DOS prompt:
at 16:31 /interactive regedt32.exe

This will - after 1 minute - open regedt32.exe with SYSTEM rights!!! (yes there is something _more_ powerful than an Administrator in Windows). And automagically - the keys can be violently deleted.

As an alternate, you can open the registry editor with "administrator" rights and then give yourself "full control" on the registry key in question. By default, the keys under CurrentControlSet\Enum are accessible only to the all-powerful SYSTEM user, but this is for good reason. Delete or change the wrong key under \Enum, and your Windows installation will turn into an inert heap of bytes. So tread carefully!


279 Posts
ISC Handler
Aug 13th 2006

Sign Up for Free or Log In to start participating in the conversation!