Martin Praxmarer
Posts: 320
Joined: 2008-05-19
|
Hi,
one of our customers contacted us because of some "wildfire report" brings malicious activities when sending mails from our application. in fact they are concerned about the registry entrys which are created - can you please share some infos about this activities?
?Â?Ð?? 1. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\<DEFAULT> to value secman
?Â?Ð?? 2. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\secman.DLL\AppID to value {4D076AB4-7562-427A-B5D2-BD96E19DEE56}
?Â?Ð?? 3. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager.1\<DEFAULT> to value OutlookSecurityManager Class
?Â?Ð?? 4. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager.1\CLSID\<DEFAULT> to value {826D7151-8D99-434B-8540-082B8C2AE556}
?Â?Ð?? 5. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager\<DEFAULT> to value OutlookSecurityManager Class
?Â?Ð?? 6. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager\CLSID\<DEFAULT> to value {826D7151-8D99-434B-8540-082B8C2AE556}
?Â?Ð?? 7. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager\CurVer\<DEFAULT> to value secman.OutlookSecurityManager.1
?Â?Ð?? 8. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\<DEFAULT> to value OutlookSecurityManager Class
?Â?Ð?? 9. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\ProgID\<DEFAULT> to value secman.OutlookSecurityManager.1
?Â?Ð?? 10. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\VersionIndependentProgID\<DEFAULT> to value secman.OutlookSecurityManager
?Â?Ð?? 11. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\InprocServer32\<DEFAULT> to value c:\documents and settings\administrator\sample.dll
?Â?Ð?? 12. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\InprocServer32\ThreadingModel to value Apartment
?Â?Ð?? 13. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\AppID to value {4D076AB4-7562-427A-B5D2-BD96E19DEE56}
?Â?Ð?? 14. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\TypeLib\<DEFAULT> to value {11549FE4-7C5A-4C17-9FC3-56FC5162A994}
?Â?Ð?? 15. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\<DEFAULT> to value secman 1.0 Type Library
?Â?Ð?? 16. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\FLAGS\<DEFAULT> to value 0
?Â?Ð?? 17. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\0\win32\<DEFAULT> to value c:\documents and settings\administrator\sample.dll
?Â?Ð?? 18. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\HELPDIR\<DEFAULT> to value
?Â?Ð?? 19. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value IOutlookSecurityManager
?Â?Ð?? 20. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ProxyStubClsid\<DEFAULT> to value {00020424-0000-0000-C000-000000000046}
?Â?Ð?? 21. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ProxyStubClsid32\<DEFAULT> to value {00020424-0000-0000-C000-000000000046}
?Â?Ð?? 22. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\TypeLib\<DEFAULT> to value {11549FE4-7C5A-4C17-9FC3-56FC5162A994}
?Â?Ð?? 23. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\TypeLib\Version to value 1.0
?Â?Ð?? 24. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\<DEFAULT> to value IOutlookSecurityManager2
?Â?Ð?? 25. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ProxyStubClsid\<DEFAULT> to value {00020424-0000-0000-C000-000000000046}
?Â?Ð?? 26. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ProxyStubClsid32\<DEFAULT> to value {00020424-0000-0000-C000-000000000046}
?Â?Ð?? 27. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\TypeLib\<DEFAULT> to value {11549FE4-7C5A-4C17-9FC3-56FC5162A994}
?Â?Ð?? 28. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\TypeLib\Version to value 1.0
?Â?Ð?? 29. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32\<DEFAULT> to value c:\documents and settings\administrator\sample.dll
?Â?Ð?? 30. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32\ThreadingModel to value Both
?Â?Ð?? 31. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value PSFactoryBuffer
?Â?Ð?? 32. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ProxyStubClsid32\<DEFAULT> to value {66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
?Â?Ð?? 33. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value IOutlookSecurityManager
?Â?Ð?? 34. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\NumMethods\<DEFAULT> to value 11
?Â?Ð?? 35. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ProxyStubClsid32\<DEFAULT> to value {66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
?Â?Ð?? 36. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\<DEFAULT> to value IOutlookSecurityManager2
?Â?Ð?? 37. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\NumMethods\<DEFAULT> to value 12
?Â?Ð?? 38. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32\<DEFAULT> to value c:\documents and settings\administrator\sample.dll
?Â?Ð?? 39. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32\ThreadingModel to value Both
?Â?Ð?? 40. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value PSFactoryBuffer
?Â?Ð?? 41. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ProxyStubClsid32\<DEFAULT> to value {66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
?Â?Ð?? 42. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value IOutlookSecurityManager
?Â?Ð?? 43. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\NumMethods\<DEFAULT> to value 11
?Â?Ð?? 44. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ProxyStubClsid32\<DEFAULT> to value {66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
?Â?Ð?? 45. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\<DEFAULT> to value IOutlookSecurityManager2
?Â?Ð?? 46. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\NumMethods\<DEFAULT> to value 12
?Â?Ð?? 47. Created Process C:\WINDOWS\system32\dwwin.exe -x -s 176
?Â?Ð?? 48. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData to value C:\Documents and Settings\Administrator\Application Data
?Â?Ð?? 49. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal to value C:\Documents and Settings\Administrator\My Documents
?Â?Ð?? 50. Created mutex CTF.LBES.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
?Â?Ð?? 51. Created mutex CTF.Compart.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
?Â?Ð?? 52. Created mutex CTF.Asm.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
?Â?Ð?? 53. Created mutex CTF.Layouts.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
?Â?Ð?? 54. Created mutex CTF.TMD.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
?Â?Ð?? 55. Created mutex CTF.TimListCache.FMPDefaultS-1-5-21-515967899-776561741-1417001333-500MUTEX.DefaultS-1-5-21-515967899-776561741-1417001333-500
?Â?Ð?? 56. Created file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\91C8C3.dmp
?Â?Ð?? 57. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
?Â?Ð?? 58. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
?Â?Ð?? 59. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths to value 4
?Â?Ð?? 60. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1
?Â?Ð?? 61. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2
?Â?Ð?? 62. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3
?Â?Ð?? 63. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4
?Â?Ð?? 64. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit to value 8000000
?Â?Ð?? 65. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit to value 8000000
?Â?Ð?? 66. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit to value 8000000
?Â?Ð?? 67. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit to value 8000000
?Â?Ð?? 68. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies to value C:\Documents and Settings\Administrator\Cookies
?Â?Ð?? 69. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History to value C:\Documents and Settings\Administrator\Local Settings\History
?Â?Ð?? 70. Created mutex c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
?Â?Ð?? 71. Created mutex c:!documents and settings!administrator!cookies!
?Â?Ð?? 72. Created mutex c:!documents and settings!administrator!local settings!history!history.ie5!
?Â?Ð?? 73. Created mutex WininetConnectionMutex
?Â?Ð?? 74. Created mutex RasPbFile
?Â?Ð?? 75. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData to value C:\Documents and Settings\All Users\Application Data
?Â?Ð?? 76. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData to value C:\Documents and Settings\Administrator\Application Data
?Â?Ð?? 77. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy to value 1
?Â?Ð?? 78. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable to value 0
?Â?Ð?? 79. Set key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable to value 0
?Â?Ð?? 80. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings to value NULL
?Â?Ð?? 81. Created mutex MSCTF.Shared.MUTEX.MDH
?Â?Ð?? 82. Created mutex MSCTF.Shared.MUTEX.MDH
?Â?Ð?? 83. Created Process C:\WINDOWS\system32\drwtsn32 -p 1880 -e 228 -g
?Â?Ð?? 84. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData to value C:\Documents and Settings\All Users\Application Data
?Â?Ð?? 85. Created file C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log |
|
Andrei Smolin
Add-in Express team
Posts: 18993
Joined: 2006-05-11
|
Hello Martin,
Items 1-46 relate to our Outlook Security Manager. Actually, these items can be found using this "rule": these items are the registry keys and values containing the substrings below
- "secman",
- "OutlookSecurityManager",
- "{4D076AB4-7562-427A-B5D2-BD96E19DEE56}",
- "{11549FE4-7C5A-4C17-9FC3-56FC5162A994}",
- "{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}",
- "{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}",
- "{826D7151-8D99-434B-8540-082B8C2AE556}" (32bit) or "{2F35794D-4574-4BCF-B0A5-3B16AF985788}" (64bit).
These registry keys are created as part of COM registration of Security Manager files: secman.dll (secman64.dll).
The remaining items look to be part of normal functioning of Windows. Say, 47:dwwin.ex is a debugger; see https://answers.microsoft.com/en-us/windows/forum/all/werfault-and-dwwin-exe-errors/c21991f6-267c-4630-ac43-cb31823b0e6b. 83:drwtsn32 - this is obviously Doctor Watson; 85 being its log file.
56:91C8C3.dmp - you'll have to experiment to find the program creating that file; the file name will obviously change.
I wouldn't be surprised if mutexex 71-73 are created by IE or Outlook running; IE, Outlook or a program using the WebBrowser component might be responsible for any keys/values containing "Internet Settings" and "Shell Folders".
Note that all the keys created in HKLM require administrative permissions. The user may avoid the assumed risk associated with such keys by starting applications non elevated. Registering Outlook Security Manager files require elevated permissions, though. I assume that you use a .NET or VCL version of the Security Manager. If so, they allow using two deployment scenarios; the second one doesn't require administrative privileges:
?Â?Ð?? Register both secman.dll and secman64.dll as COM servers; this requires administrative privileges. Note that you only need to register secman64.dll on a 64bit PC. This approach allows specifying a profile-independent location for the files. Pay attention, please, that you should place secman.dll and secman64.dll as shared DLLs into the shared folder of Windows, Common Files \ Outlook Security Manager. Do not unregister secman.dll and secman64.dll if they exist in that folder when you install your product.
?Â?Ð?? Put secman.dll and secman64.dll into the folder where all files of your application are located. This approach doesn't require registering the files.
Andrei Smolin
Add-in Express Team Leader |
|