Tuesday, May 17, 2011

Protecting 4410 from malware Win32/FakeRean

Thank goodness for FBWF! A user caught this malware over the weekend, and the majority of its effects were mitigated by a reboot.

However, I'll need to lock out more than just HKCU\Software\Microsoft\Windows\CurrentVersion\Run, since as Microsoft explains, this one also takes over HKCU\Software\Classes\.exe, and \exefile or \secfile.

The randomly named file it installed was cnb.exe at %AppData%, and it was set to launch every time you ran any executable. Sneaky!

I've decided that I need to keep the user's registry excluded with FBWF so it can be updated and retained - Acrobat Reader loves adding things to the registry (those files again are NTUSER.DAT and NTUSER.DAT.LOG). So just before I'm ready to create an image, I'll
1) elevate permissions for my one user account to administrator
2) login as that user and get into regedit
3) right click the following key and change the user's permissions to Deny
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
4) add the following three keys since they don't normally exist, and change the user's permissions to Deny
HKCU\Software\Classes\.exe
HKCU\Software\Classes\exefile
HKCU\Software\Classes\secfile

5) lower permissions back to Power User

Hopefully this, along with denying write permissions to the root of %AppData% (Documents and Setting\username\Application Data), will greatly reduce the malware my users are catching.

chris