DATE: COMMAND SOURCE: AUTHOR: rollback.exe SYSTEMS AFFECTED NT 3.5, 3.51, 4.0 PROBLEM This vulnerability was originally presented on: www.ntshop.com/security and this text is partly their credit. Rollback.exe wipes out all registry entries, and forces a reinstall of NT. Rollback.exe does not display warning messages before wiping registry. This .EXE can be trojaned simply by renaming and distributing the file. Do not run this file on a production system! There is no way to recover information erased by running this utility, so anything stored in the registry will be lost. This includes user account nformation, protocol bindings, application settings, user preferences, etc. Rollback.exe is on the Windows NT compact discs in the following directory: support\deptools\<system>\ EXPLOIT SOLUTION The only fix to this problem is to restore the entire system from a current tape back up. Emergency Repair Disk does not restore the system as it requires the Setup.log and specific registry components to be present. Protecting yourself against a trojan program -- such as rollback.exe renamed to something else -- is difficult to do. In fact, it all boils down to common sense and judgement. Don't install software that you don't trust completely. Any intruder could easily disquise a package to look as though it came from a legitimate vendor, packing and all. The only thing you can do is to install the software on a system the "doesn't matter" in the event that the software trashes the entire system.