Re: [Full-Disclosure] interesting trojan found

From: defiance (seclists_at_stratitec.com)
Date: 10/20/04

  • Next message: Daniel Veditz: "Re: [Full-Disclosure] Web browsers - a mini-farce"
    To: full-disclosure@lists.netsys.com
    Date: Wed, 20 Oct 2004 14:58:52 -0500
    
    

    You could get a knoppix disk that has ntfs r/w compiled in and use it.

    defiance

    On Wednesday 20 October 2004 11:51 am, Richard Stevens wrote:
    > A client had a problem home PC, after removal of all the usual spyware,
    > adware and 6 month old viruses,
    >
    > there remained an unusual process in the process list, logon.exe, which
    >
    > Process Explorer pointed to it being from c:\windows\system32\logon.exe
    >
    > it tries to connect to a singnet ip address on port 3175.
    >
    > This file appeared almost invisible to the file system in both safe &
    > normal mode, which struck me as being unusual.
    >
    > You could not delete it, copy it or see it in a directory listing (file not
    > found), but you could execute it directly.
    >
    > I eventually got a copy of it by using an NTFS-reader boot disk, and ran it
    > through virus total.
    >
    > Kaspersky was the only one to recognize it as backdoor.win32.rbot.gen
    >
    > Just wondering really
    >
    > a: if anyone wants it for study. (off list replies pls, will be sent in
    > passworded zip) b: anyone know a free boot disk that both reads & writes to
    > NTFS, so I can delete it!
    >
    >
    > Regards
    >
    > Richard
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Daniel Veditz: "Re: [Full-Disclosure] Web browsers - a mini-farce"