Restoring WindowsXP SP2 Firewall service after malicious software attack

TheMSsForum.com: The Microsoft Software Forum

Hello!

My computer (WinXP SP2 fully patched - including yesterdays patches)
was compromised today with brand new attack vector which has done the
following:

1. Disabled built in WinXP firewall
2. Downloaded several trojans
3. Crashed system with bluescreen of death
4. After system reboot several applications were infected with trojans
5. Permanently damaged WinXP firewall by uninstalling its service
6. Damaged internet connection sharing service

This new vector was send to KasperskyLabs and confirmed to be new
malicious software (lab singature [KLAB-1097372]).

I am still trying to recover full system functionality after attack and
have performed several scans with:

1) rootkit detectors,
2) anitvirus software.
3) sfc tool which was used to restore original windows files

Tried to reinstall SP2 as well (orirginal system was SP1) but it did
not help in restoring firewall and internet connection sharing
services.

Anyone have an idea how to restore original firewall/internet
connection services? MS documentation is obviously missing in that area
and I would prefer to avoid system reinstallation or repair
installation.
Top

Re: Restoring WindowsXP SP2 Firewall service after malicious software attack by Malke

Malke
Wed Jul 12 09:28:20 CDT 2006

Polanski24 wrote:

> Hello!
>
> My computer (WinXP SP2 fully patched - including yesterdays patches)
> was compromised today with brand new attack vector which has done the
> following:
>
> 1. Disabled built in WinXP firewall
> 2. Downloaded several trojans
> 3. Crashed system with bluescreen of death
> 4. After system reboot several applications were infected with trojans
> 5. Permanently damaged WinXP firewall by uninstalling its service
> 6. Damaged internet connection sharing service
>
> This new vector was send to KasperskyLabs and confirmed to be new
> malicious software (lab singature [KLAB-1097372]).
>
> I am still trying to recover full system functionality after attack and
> have performed several scans with:
>
> 1) rootkit detectors,
> 2) anitvirus software.
> 3) sfc tool which was used to restore original windows files
>
> Tried to reinstall SP2 as well (orirginal system was SP1) but it did
> not help in restoring firewall and internet connection sharing
> services.
>
> Anyone have an idea how to restore original firewall/internet
> connection services? MS documentation is obviously missing in that area
> and I would prefer to avoid system reinstallation or repair
> installation.

I don't know why you say there isn't any documentation. There's plenty.
Start here:

Start>Run cmd [enter]
netsh winsock reset catalog [enter]
Follow prompts and reboot.

FIREWALL DEAD, or other network issues -
http://support.microsoft.com/kb/892350

Windows XP Service Pack 2 problems/The Service Pack 2 firewall -
http://www.michna.com/kb/WxSP2.htm#The_Service_Pack_2_firewall

Troubleshooting Windows Firewall in XPSP2 - http://tinyurl.com/3tnkt

MS Firewall Reference Guide -
http://www.microsoft.com/technet/security/topics/networksecurity/firewall.mspx

Windows cannot display Windows Firewall settings error (Ramesh) -
http://windowsxp.mvps.org/sharedaccess.htm

Although if you think you've been rooted and damage is extensive, the
smartest thing to do is to back up your stuff and flatten the system.

http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/page2.html#reinstall_Windows - What you
will need on-hand

Malke
--
MS-MVP Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"
Top

Re: Restoring WindowsXP SP2 Firewall service after malicious software attack by B

B
Wed Jul 12 09:34:50 CDT 2006

On 12 Jul 2006 07:00:05 -0700, "Polanski24" <infodate@aster.pl> wrote:

>Anyone have an idea how to restore original firewall/internet
>connection services? MS documentation is obviously missing in that area
>and I would prefer to avoid system reinstallation or repair
>installation.

Very understandable, but in your case I would definately do so.
Especially since it's a new and unknown malware.

You have no chance to make sure you fully cleaned it.

Even MS realises that:
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

/B. Nice
Top

Re: Restoring WindowsXP SP2 Firewall service after malicious software attack by Polanski24

Polanski24
Wed Jul 12 11:07:08 CDT 2006


Thnx for replies!

Actually I still can say there is no real documentation on firewall.
User type blah blah available from links posted by Malke is of very
limited use and there is no MSDN like documentation on
Firewall/Internet Connection Sharing (I am Windows/Linux programmer and
blah blah is not of that great value to me).

However, solution which was pointed by Malke is ok -> MVPs did a good
job and posted simple fix (thnx for that link):

"Windows cannot display Windows Firewall settings error (Ramesh) -
http://windowsxp.mvps.org/sharedaccess.htm"

Actually it was enough to restore registry entries with help of:
http://windowsxp.mvps.org/reg/sharedaccess.reg

I will work with KasperskyLabs on that malware and will try not
reinstalling whole system but it may be inevitable ;)

Thnx once more for your comments

Top

Re: Restoring WindowsXP SP2 Firewall service after malicious software attack by Polanski24

Polanski24
Fri Jul 14 09:33:02 CDT 2006


Hello!

After few days spent on investigating my system I have detected rootkit
presence with only one tool -> SVV by Joanne Rutkowska. All other tools
(I have tested dozens of them) have failed to do so. My only luck with
infection is that programmer who wrote or rather adapted rootkit made
some lousy job so I can see its presence by some very easy to spot
system behaviour abnormalities.

Seems that flattening the system and reinstalling it is coming closer
:).

Top

Re: Restoring WindowsXP SP2 Firewall service after malicious software by Gary

Gary
Fri Jul 14 13:27:22 CDT 2006

Polanski24 wrote:

> Hello!
>
> After few days spent on investigating my system I have detected rootkit
> presence with only one tool -> SVV by Joanne Rutkowska. All other tools
> (I have tested dozens of them) have failed to do so. My only luck with
> infection is that programmer who wrote or rather adapted rootkit made
> some lousy job so I can see its presence by some very easy to spot
> system behaviour abnormalities.
>
> Seems that flattening the system and reinstalling it is coming closer
> :).
>


Definitely. That fact that all tools but one failed to find
the malware is an indication of the trust you should place
in those types of tools.

I'm not sure if the system in question was a desktop or a
server but if it was a desktop, operating it using an
unprivileged account will prevent future mistakes and locally
run software from being able to foul up firewalls, anti-virus
software, and other critical sections of the computer. It will
also significantly reduce the ways the malware can hide itself
or its modifications making recovery, or at least forensics,
easier if something should get through.

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
Top