Monday, July 18, 2005

Bots writing Registry entries

As I've purused some of the anti-virus sites of late, I've noticed a trend that malware...specifically, bots...are writing two particular Registry entries:

[HKCUHKLM]\System\CurrentControlSet\Control\Lsa

and

[HKCUHKLM]\Software\Microsoft\OLE

I'm seeing this with several bots...W32.Bropia, W32.MyTob, etc. Some A/V sites point out that these are variations of SD-Bot, which wrote to the keys, as well...but why? A/V companies do a great job of saying which keys get created or modified, but it's tough to figure out *why*.

What's the purpose for writing to these keys? Does it have something to do with the LSASS vulnerality in MS04-011? Is this another autostart location?

No comments: