Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Antique Systems :: ciacb8.txt

Detection/Eradication procedures for VMSCRTL.EXE Trojan Horse


             The Computer Incident Advisory Capability

                         ___  __ __    _     ___

                        /       |     / \   /

                        \___  __|__  /___\  \___


                         Information Bulletin       

        Detection/Eradication Procedures for VMSCRTL.EXE Trojan Horse

November 21, 1990, 1100 PST                                 Number B-8


PROBLEM:  Detection of trojan horse and recovery procedures

PLATFORM: VAX/VMS (all versions)

DAMAGE:  Gives unauthorized privileged access to system if trojan

  horse is implanted in system by intruders who have already obtained

  privileged status

DETECTION:  Several methods (described herein), of which finding

  VMSCRTL.EXE in SYS$LIBRARY is the fastest


                     Critical Trojan Horse Facts

In bulletin B-6 CIAC warned of a new pattern of intrusions into VMS

systems.  Part of this pattern is placing a file named VMSCTRL.EXE into

SYS$LIBRARY.  CIAC has determined that this file contains a trojan

horse program.  VMSCRTL.EXE also provides a means for the attackers to

gain full privileges from a non-privileged account if this file has

been installed with the CMKRNL privilege. The presence of VMSCRTL.EXE

in SYS$LIBRARY indicates that a VMS system has been compromised and

that the attackers have been able to gain full privileges.

The trojan horse behaviors of VMSCRTL.EXE are:

1.      Copies itself to SYS$LIBRARY:VMSCRTL.EXE

2.      Creates the file SYS$STARTUP:DECW$INSTALL_LAT.COM  This file

contains a standard DEC copyright notice and a DCL command to install


3.      Modifies the file SYS$STARTUP:VMS$LAYERED.DAT to include the

execution of SYS$STARTUP:DECW$INSTALL_LAT.COM as part of the VMS boot


4.      Exits with a (falsified) CLI error message while returning a

status of SYS$NORMAL

The "tracks" left behind by the execution of VMSCRTL.EXE are fairly obvious:

1.      The presence of SYS$LIBRARY:VMSCRTL.EXE

2.      The presence of SYS$STARTUP:DECW$INSTALL_LAT.COM

3.      The file SYS$STARTUP:VMS$LAYERED.DAT will have its MODIFIED

date changed to reflect the time at which VMSCRTL.EXE was run.  Use the



modification date.  Note that this evidence will be destroyed if any

subsequent modifications or listings of SYS$STARTUP:VMS$LAYERED.DAT are

made via the STARTUP command to SYSMAN.

4.      The DCL command "$ MCR SYSMAN STARTUP FILE" will list

DECW$INSTALL_LAT.COM as one of the startup files.  Note that executing

this command will change the modification date of

SYS$STARTUP:VMS$LAYERED.DAT  Be sure, therefore, to do this check after

checking the MODIFIED date as prescribed above.

5.       If the infected system has been rebooted since VMSCRTL.EXE was

run, the DCL command "$ MCR INSTALL /LIST" will reveal that

SYS$LIBRARY:VMSCRTL.EXE is installed with privilege. A full list of

this installed image will show it is installed with CMKRNL.



The presence of the file SYS$LIBRARY:VMSCRTL.EXE is definite

confirmation that this trojan horse is present.  Additional

confirmatory evidence includes:

1.      The presence of the file SYS$STARTUP:DECW$INSTALL_LAT.COM

2.      Modification to the SYSMAN STARTUP database file to include the


A search string that can be used to identify VMSCRTL.EXE regardless of

the file's name is "%VCR"    For example, to search your entire system

disk you might enter:

        $ SEARCH SYS$SYSDEVICE:[*...]*.* "%VCR"/WINDOW=1

If VMSCRTL.EXE is detected in a non-system directory, it is likely that

the attackers have penetrated a non-privileged account but have not yet

been able to gain full privileges.


If you have detected VMSCRTL.EXE in SYS$LIBRARY, the VMS system has

been compromised by attackers who were able to gain full privileges.

(If these attackers are able to reenter the system, they will again be

able to gain full privileges).  The minimal recovery procedure

described below is provided only as a quick, short-term, "stop gap"

measure.  (The possibility that other damage to the compromised VMS

system was done by the attackers is large--we therefore recommend that

when time permits the full recovery procedure be implemented.) The

minimal recovery procedure is:

1.      Use INSTALL to remove SYS$LIBRARY:VMSCRTL.EXE with the


Note: It is possible that VMSCRTL.EXE is not installed (yet) and so

this command may produce the appropriate error message.

2.      Remove the startup entry SYS$STARTUP:DECW$INSTALL_LAT.COM from

SYSMAN's database with the command:  "$ MCR SYSMAN STARTUP REMOVE FILE


3.      Delete the file SYS$LIBRARY:VMSCRTL.EXE and the file


4.      Disable all inactive accounts using AUTHORIZE.  For example, to

disable an account named JONES, enter:





5.      Change the passwords on all active accounts.

6.      Review all entries in SYSUAF.DAT and make appropriate corrections

7.      Review all SYSGEN parameters and make appropriate corrections

8.      Review all system files for modifications occurring after the

penetration.  The following DCL command can prove very useful in this


                $ DIR/FULL/MODIFIED/SINCE="<actual penetration date>"

        For example, if the penetration date were October 31st, enter:

                $ DIR/FULL/MODIFIED/SINCE="31-OCT-1990"




For the full recovery procedure, follow the complete VMS recovery

procedure given in the appendix to this bulletin.

For additional information or assistance, please contact CIAC

        Hal R. Brand

        (415) 422-6312 or (FTS) 532-6312

        or call (415) 422-8193 or (FTS) 532-8193

        send FAX messages to:  (415) 423-0913 or (FTS) 543-0913

Neither the United States Government nor the University of California

nor any of their employees, makes any warranty,  expressed or implied,

or assumes any legal liability or responsibility for the accuracy,

completeness, or usefulness of any information, product, or process

disclosed, or represents that its use would not infringe privately

owned rights.  Reference herein to any specific commercial products,

process, or service by trade name, trademark manufacturer, or

otherwise, does not necessarily constitute or imply its endorsement,

recommendation, or favoring by the United States Government or the

University of California.  The views and opinions of authors expressed

herein do not necessarily state or reflect those of the United States

Government nor the University of California, and shall not be used for

advertising or product endorsement purposes.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


This recovery procedure should be applied to a compromised VMS system

whenever it can not be determined that the intruders failed to gain

system privilege.

1.      Get a hardcopy listing of your current SYSUAF.DAT   If

SYSUAF.DAT contains an extremely large number of users, it will take

considerable time to restore all accounts (so it may be expedient to

save SYSUAF.DAT to tape or elsewhere so it can be restored, although we

do not generally recommend this procedure).

2.      Remove from all disks all executable code (including DCL

command procedures) run by  privileged accounts.

3.      Initialize the system disk to remove all files.  (This is an

extreme step, but it is guaranteed to remove any damage done by the


4.      Install VMS and all layered products. 


5.      Use AUTHORIZE to add only currently active accounts (or restore

the SYSUAF.DAT you saved).  If you restore SYSUAF.DAT you must

scrutinize it very carefully.  To restore SYSUAF.DAT is not generally

recommended.  It is better to re-create only the active accounts,

because this not only removes all dormant accounts, but also guarantees

elimination of bogus accounts and unauthorized modifications.

6.      Restore from TRUSTED backups all site specific files found on

the system disk.  In the event you do not have TRUSTED backups, we

recommend you re-create these files.

Note:  "Trusted backups" are defined as backups in which there is a

high degree of assurance that there were no unauthorized changes made

to any of the files before the backup was made.

7.      Restore from TRUSTED backups all files removed in step 2.  In

the event you do not have TRUSTED backups, we recommend that you

re-create these files.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH