DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  rollback.exe


SYSTEMS AFFECTED

  NT 3.5, 3.51, 4.0

  

PROBLEM


    This vulnerability was originally presented on:



        www.ntshop.com/security



    and this text is partly their credit.



    Rollback.exe  wipes  out  all  registry  entries,  and  forces   a

    reinstall of NT.



    Rollback.exe  does  not  display  warning  messages  before wiping

    registry.  This  .EXE  can  be  trojaned  simply  by  renaming and

    distributing the file.



    Do not run this  file on a production  system! There is no  way to

    recover information  erased by  running this  utility, so anything

    stored in the  registry will be  lost. This includes  user account

    nformation,   protocol   bindings,   application   settings,  user

    preferences, etc.



    Rollback.exe is on the Windows  NT compact discs in the  following

    directory:



        support\deptools\<system>\





EXPLOIT

  

SOLUTION


    The only fix to this problem is to restore the entire system  from

    a current  tape back  up. Emergency  Repair Disk  does not restore

    the  system  as  it  requires  the Setup.log and specific registry

    components to be present.



    Protecting  yourself  against   a  trojan  program   --  such   as

    rollback.exe renamed to something else  -- is difficult to do.  In

    fact,  it  all  boils  down  to  common sense and judgement. Don't

    install software  that you  don't trust  completely. Any  intruder

    could easily disquise a package to  look as though it came from  a

    legitimate vendor, packing and all.  The only thing you can do  is

    to install the  software on a  system the "doesn't  matter" in the

    event that the software trashes the entire system.