DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  rollback.exe

SYSTEMS AFFECTED

  NT 3.5, 3.51, 4.0
  

PROBLEM


    This vulnerability was originally presented on:

        www.ntshop.com/security

    and this text is partly their credit.

    Rollback.exe  wipes  out  all  registry  entries,  and  forces   a
    reinstall of NT.

    Rollback.exe  does  not  display  warning  messages  before wiping
    registry.  This  .EXE  can  be  trojaned  simply  by  renaming and
    distributing the file.

    Do not run this  file on a production  system! There is no  way to
    recover information  erased by  running this  utility, so anything
    stored in the  registry will be  lost. This includes  user account
    nformation,   protocol   bindings,   application   settings,  user
    preferences, etc.

    Rollback.exe is on the Windows  NT compact discs in the  following
    directory:

        support\deptools\<system>\



EXPLOIT

  

SOLUTION


    The only fix to this problem is to restore the entire system  from
    a current  tape back  up. Emergency  Repair Disk  does not restore
    the  system  as  it  requires  the Setup.log and specific registry
    components to be present.

    Protecting  yourself  against   a  trojan  program   --  such   as
    rollback.exe renamed to something else  -- is difficult to do.  In
    fact,  it  all  boils  down  to  common sense and judgement. Don't
    install software  that you  don't trust  completely. Any  intruder
    could easily disquise a package to  look as though it came from  a
    legitimate vendor, packing and all.  The only thing you can do  is
    to install the  software on a  system the "doesn't  matter" in the
    event that the software trashes the entire system.