tag:blogger.com,1999:blog-4080617372940068027.post351745075172416441..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Houston We’ve Had a Problem – Wow64Corey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-4080617372940068027.post-25402122494564108632013-08-06T18:13:29.669-04:002013-08-06T18:13:29.669-04:00@Kira,
Wow64 is a feature of Windows and can'...@Kira,<br /><br />Wow64 is a feature of Windows and can't be removed. This convo might be better by email. My contact information is on my about page. Send me an email and we can discuss.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-66334901532941167172013-08-06T17:26:58.272-04:002013-08-06T17:26:58.272-04:00Okay, I a little late to the conversation. But I ...Okay, I a little late to the conversation. But I have recently noted the WOW64 popping up briefly during start up. About the same time, I seem to have picked up some malware which I CANNOT get rid of, I have scanned my computer with three programs one of them being Norton 360. <br /><br />How do you protect yourself or find and get rid of it, without getting rid of Wow64? Can you somehow turn Wow64 off, scan for viruses? Any ideas, I would be greatful. <br /><br />KAnonymoushttps://www.blogger.com/profile/18130649580284435764noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-88106827584478316882013-05-14T15:58:15.482-04:002013-05-14T15:58:15.482-04:00I'm finding "wow64" being registered...I'm finding "wow64" being registered in the CS(User-Agent) when the User is running on a 32-bit OS and the Server is Windows Server 2003 R2 SP2, but not all the time. <br />For my personal User-Agent, it does not record "WOW64" when it also records either "GTB7.4" or "AskTbORJ/". I thought they might represent some clues.<br /><br />Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E;+InfoPath.2)<br />Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+GTB7.4;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E;+InfoPath.2;+Tablet+PC+2.0;+MS-RTC+LM+8)<br />Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+GTB7.4;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+.NET4.0C;+.NET4.0E;+InfoPath.2;+Tablet+PC+2.0;+MS-RTC+LM+8;+AskTbORJ/5.15.14.29495)<br />ColinJohnhttps://www.blogger.com/profile/14183127805322091428noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-59290623314518009162013-03-18T09:48:22.100-04:002013-03-18T09:48:22.100-04:00@Corey,
thx for your kind words. I'm glad you...@Corey,<br /><br />thx for your kind words. I'm glad you like it.Christian Wojnerhttps://www.blogger.com/profile/07437062375371172982noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-14091696864184507382013-03-18T09:30:42.931-04:002013-03-18T09:30:42.931-04:00@Christian,
Thanks for uploading the material and...@Christian,<br /><br />Thanks for uploading the material and sharing the links. I think you have done an outstanding job highlighting the Wow64 issue. In your slide deck I really like how you broke down what gets redirected in both the registry and filesystem.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-70190322794523139862013-03-17T07:20:13.995-04:002013-03-17T07:20:13.995-04:00Good post - it gives the topic once more some atte...Good post - it gives the topic once more some attention.<br />Last year I gave about 9 presentations about the "WOW-Effect" at security conferences all around the world. Everytime it was absolutely new stuff to most of the people in the audience.<br /><br />Because of your post I decided to upload my presentation slides to our website (you can download the slides here: http://www.cert.at/static/downloads/papers/cert.at-the_wow_effect_the_whole_dimension-slides.pdf) so that everyone has access to my full investigation on that topic. I tried to cover every aspect one might find necessary on this.<br /><br />In some weeks my last presentation of my "WOW-Effect" tour last year will be available as video recordings (thx to the folks of Deepsec). You will find a link to that video at our website (http://www.cert.at/downloads/papers/wow_effect_en.html).<br /><br />So, be aware of the "WOW-Effect"! :-)<br /><br />Cheers,<br />Christian Wojner.Christian Wojnerhttps://www.blogger.com/profile/07437062375371172982noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-6563934065157924712013-03-14T08:00:16.926-04:002013-03-14T08:00:16.926-04:00Corey,
As always, awesome post!
I think that you...Corey,<br /><br />As always, awesome post!<br /><br />I think that you hit a couple of nails squarely on the head...in particular, regarding online resources. With no identification of the testing platform, the assumption becomes malware writes to a particular key or file path. Look at Beth's presentation at the SANS Summit last year...she culled an AV vendor's web site, and I don't remember her ever seeing "Wow6432Node"...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com