How does MyDoom get into _restore\temp without running?

[Someone Else]

Like everyone else, I got my share of mydoom, and mydoom-bounces to my
address as forged in 'From:' headers. I never executed any of them (and
my mail client doesn't execute things automatically). I did save off a
copy of one to let f-prot have a look at it. F-prot hadn't come out with
the mydoom update yet, so it didn't find anything, and I deleted the file.

Now it gets strange. F-prot published their update. I picked it up and
ran a full scan of my system. Of course it found the mime-encoded
attachments in my email folders (Netscape), but nothing else except a
single one of those infamous Axxxxxxx.CPY files in _restore\temp. (Yes,
I know how to get rid of it, and it is gone.)

OK, so I checked for all of the mydoom symptoms (the dll it drops, the
registry tags, etc.)--nada. Just to be certain, I sent a copy of
Axxxxxxx.CPY off to the f-prot folks, and they confirmed that: 'The
files are indeed samples of Mydoom, but they are not part of an active
infection.'

So the questions are:

1) If it never executed (which I'm virtually certain it didn't), how did
it end up in the _restore\temp directory?

2) If it did execute, why is there no other evidence of infection?

FWIW, here's my configuration:

Windows ME (all patches, etc.)

Netscape 7.1 for mail/web/usenet

ZoneAlarm free version 3.7.202 (the only thing the free version is
supposed to do with email attachments is to change the name of .vbs
extensions to something else, but I thought I'd mention it).

Any thoughts?

BTW, *big plug* for f-prot, DOS version: one of my two favorite bits of
software. I've still got my copy of version 2.12 (1993?) on floppy some
place. It's never failed me, runs under pure DOS (in case you can't get
Windoze up), and you get personal answers from their staff within about
24 hours--even if you're using their free version.

David

 

[kurt wismer]

Someone Else wrote:
[snip]

So the questions are:

1) If it never executed (which I'm virtually certain it didn't), how did
it end up in the _restore\temp directory?

windows put it there... as far as what criteria windows uses for
deciding what to put in system restore and what not to, who knows...

 

[FromTheRafters]

So the questions are:

1) If it never executed (which I'm virtually certain it didn't), how did
it end up in the _restore\temp directory?

Excerpted from:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsetup/html/winmesr.asp

+++

System and Application File Change Monitoring

[...]

To track and copy files before changes, System Restore uses a
system resource monitor (a driver called a VxD) that is at the
kernel level (called Ring 0). This kernel level driver monitors file
system operations, and, for select file types, quickly interrupts
an operation (for example, DELETE FILE) and copies the
original file before the operation is complete.

[...]

+++

....and so your malware is safely tucked away in a restore point
*because* your AV (or something) has decided to try to delete
it.

Think of it as an ME (or XP) malware restore feature. :O)

 

[Someone Else]

So the questions are:

1) If it never executed (which I'm virtually certain it didn't), how did
it end up in the _restore\temp directory?

Excerpted from:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsetup/html/winmesr.asp

+++

System and Application File Change Monitoring

[...]

To track and copy files before changes, System Restore uses a
system resource monitor (a driver called a VxD) that is at the
kernel level (called Ring 0). This kernel level driver monitors file
system operations, and, for select file types, quickly interrupts
an operation (for example, DELETE FILE) and copies the
original file before the operation is complete.

[...]

+++

...and so your malware is safely tucked away in a restore point
*because* your AV (or something) has decided to try to delete
it.

Actually, because I saved the attachment to a file for further study,
and then deleted it.

Think of it as an ME (or XP) malware restore feature. :O)

Thanks ever so much. That's it all right.

<rant on>
I never would have thought that even M$ could come up with a scheme so
utterly moronic. IIUC, with the exception of a few special, excluded
directories, System Restore monitors all file changes or deletions of
files with the "select file types" (of which there are 526, including
..exe, .pif, .scr, and lots of weird ones like .do1, ~~d, and .pr4, but
not .pr0 through .pr3). One of them is one I use all the time: .out. If
you do a restore, all changes to any of these files since the restore
point will be lost.

Yes, any file you might have created and modified in almost any
directory could revert to your earliest version unless you're careful to
avoid those 526 extensions. Of course that doesn't help a lot, since if
you're a software developer it's hard to avoid extensions like .exe.
(And no, even "Program Files" isn't one of the protected directories) I
shudder to think what will happen when one of our clients does a system
restore soon after getting an update from us. All the *.exe files will
revert, but none of the other configuration files that aren't on the list.

To make matters worse:

Microsoft reserves the exclusive right to modify this list.

So even if you avoid their proprietary extensions (or use them for
consistent restores), they can take them over (or drop them) at any
time. Not to worry, M$ has soothing words of advice:

The next sections will discuss in-depth how this feature works. To
achieve the desired behavior after a restore, application developers
should answer the following:

* Do key application binaries to be protected by System Restore
contain extensions consistent with those included in the System
Restore Filelist.XML list?

Well, maybe, unless M$ exercises their "exclusive right to modify this
list" (during a "critical update"?).

* Are user-editable files (for example,
.pdf, .xls, .htm) named in such a way that they cannot be confused as
included extension types? For example, have you named a file
extension .ini that a user can modify as a personal data file? If so,
this will impede the perception of your products performance, as well
as cause the user to lose work as a result of a restore. (See
FileList.XML.)

Well, maybe, unless M$ exercises their "exclusive right to modify this
list".

They really don't want anyone else writing software.
<rant off>

FWIW, one of the few protected directories (changes won't be tracked and
restored) is "%windir%\Application Data", which must explain why
Netscape now stores your mail under "%windir%\Application Data".

David

 

[Andy]

In message <[email protected]>,

Yes, any file you might have created and modified in almost any
directory could revert to your earliest version

As an aside to this, I year or so back I copied the contents of an old
hard drive to a new larger one (a separate physical drive to my Windows
drive). On it were many old DOS and Windows programs. The new machine
had XP installed, and over the months I've used System Restore a few
times and recovered from the odd virus etc. Sometime later I went to
look at the (copied) contents of the old drive, hoping to run an old DOS
program, only to find that absolutely all of the executable files in
whatever directories, had been wiped. As System Restore would not have
known about these files, what caused them to be deleted? This kind of
action is extremely worrying!

Andy.

 

[GSV Three Minds in a Can]

In message <[email protected]>,


As an aside to this, I year or so back I copied the contents of an old
hard drive to a new larger one (a separate physical drive to my Windows
drive). On it were many old DOS and Windows programs. The new machine
had XP installed, and over the months I've used System Restore a few
times and recovered from the odd virus etc. Sometime later I went to
look at the (copied) contents of the old drive, hoping to run an old
DOS program, only to find that absolutely all of the executable files
in whatever directories, had been wiped. As System Restore would not
have known about these files, what caused them to be deleted? This kind
of action is extremely worrying!

If you had system restore turned on for the drive that you copied them
to, then it's quite possible that SR decided to revert that drive to an
earlier state (without those .exe files) at some point.

Exactly what SR will/won't save, restore, or delete, is rather too
arcane for most users (me included). In summary, if you must use it,
don't use it except on the system drive (apart from anything else, it
eats space).

 

[Someone Else]

In message <[email protected]>,



As an aside to this, I year or so back I copied the contents of an old
hard drive to a new larger one (a separate physical drive to my Windows
drive). On it were many old DOS and Windows programs. The new machine
had XP installed, and over the months I've used System Restore a few
times and recovered from the odd virus etc. Sometime later I went to
look at the (copied) contents of the old drive, hoping to run an old DOS
program, only to find that absolutely all of the executable files in
whatever directories, had been wiped. As System Restore would not have
known about these files, what caused them to be deleted? This kind of
action is extremely worrying!

Andy.

As a wise man once said, NSS (no ---- Sherlock) -). Most everything
about M$ products is 'extremely worrying'. I have no clue what happened
in your case. I thought I had figured out that SR would restore files to
the most recent version prior to the restore point, but I (foolishly?)
assumed that that would not include the null version. It may be
significant that your losses were on a different drive. Unfortunately I
have neither the time nor the spare machine to try the experiments
(e.g., create a new .exe, run SR, and see whether it goes away).

On second thought, I have a possible clue. The fact that you had to
recover from the 'odd virus etc.' leaves open the possibility that: the
viruses corrupted your .exe files, your AV program couldn't disinfect
them, and so deleted them, and they were not known to SR, so they did
not come back. Other explanations are of course possible, and more
likely to be correct.

David

 

[Someone Else]

If you had system restore turned on for the drive that you copied them
to, then it's quite possible that SR decided to revert that drive to an
earlier state (without those .exe files) at some point.

That's possible, but restoring files to the null versions would be a new
level of cluelessness for M$. Of course, they have had so many worm
problems that it might not be so clueless after all, merely the only
response possible to previous cluelessness.

I'm afraid I'm not familiar with the options for SR in XP. I'm still
running ME, on the theory that it's safer to stay a step or two behind
the M$ power curve. Let someone other than I (i.e., not Someone Else
-)) be the guinea-pig/canary. In ME, I have not seen any option to
modify which drives/directories are subject to SR. OTOH, I have never
needed two physical drives on my ME machines. I suppose I could manually
modify filelist.xml, but that would add another step in the endless
checklist of securing windoze. And besides:

So M$ could undo my mods with the next update.

Exactly what SR will/won't save, restore, or delete, is rather too
arcane for most users (me included). In summary, if you must use it,
don't use it except on the system drive (apart from anything else, it
eats space).

It probably is too arcane, but it shouldn't be. I suspect that the real
problem is that windoze is such a ball of spaghetti that even M$ isn't
sure what it does.

My recommendation is to regularly wipe out your restore points, but set
a new restore point immediately before you do anything remotely risky
(like installing a new program). It would be nice if M$ allowed you to
selectively remove restore points (e.g., all those prior to ddmmyy).

David