[Full-disclosure] Re: unknown windows rootkit
From: Derek (derek_at_angelofsin.net)
Date: 11/21/05
- Previous message: Thierry Carrez: "[Full-disclosure] [ GLSA 200511-16 ] GNUMP3d: Directory traversal and insecure temporary file creation"
- Next in thread: sk / GroundZero: "Re: [Full-disclosure] Re: unknown windows rootkit"
- Reply: sk / GroundZero: "Re: [Full-disclosure] Re: unknown windows rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 21 Nov 2005 08:28:53 -0500 To: full-disclosure@lists.grok.org.uk
Your notes indicate you had trouble removing some registry entries. I'd
suggest running PSExec from Sysinternals. It's free and comes with
source from www.sysinternals.com, and the command would be something like:
psexec /s /i /d c:\path\to\regedt32.exe
If you can't edit or delete those keys this way, I don't know of another
tool that will let you without resorting to an offline registry editor.
>>We found what seems to be a unknown rootkit on a
>>customer system which was windows 2000 sp4.
>>It is a kernel resident infector as it installs itself as
>>hidden device driver operating in kernel level to hide
>>its directories and programs aswell as network connections.
>>For our research we named it Win32/McSport-A.
>>
>>
>>More Detailed informations aswell as removal instructions
>>can be found here: http://www.groundzero-security.com/mcsport.html
>>
>>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Thierry Carrez: "[Full-disclosure] [ GLSA 200511-16 ] GNUMP3d: Directory traversal and insecure temporary file creation"
- Next in thread: sk / GroundZero: "Re: [Full-disclosure] Re: unknown windows rootkit"
- Reply: sk / GroundZero: "Re: [Full-disclosure] Re: unknown windows rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
