Re: Strange Service is showing up on PC's on our network

• Previous message: Russ: "Re: Strange Service is showing up on PC's on our network"
• In reply to: Russ: "Re: Strange Service is showing up on PC's on our network"
• Next in thread: Knight, Jim: "Re: Strange Service is showing up on PC's on our network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 30 Jan 2004 21:02:22 +0100
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

A question about this worm, couldn't find the answer in the articles Russ
gave:
If there is already a GINA replacement DLL will the work just overwrite the
registry value in the Winlogon key or will it register itself and still call
via the replacement DLL?

That's important on machines which use Novell as the network provider (since
it uses a replacement GINA) as well as for other custom solutions (e.g. if
the GINA authenticates against a *nix server not running SAMBA).

If the worm replaces the value it will be easily recognizable but may lead
to other problems ... if not, you have an infected machine without noticing
it.

Anyone any informations?

Oliver

-----
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
-----

• Previous message: Russ: "Re: Strange Service is showing up on PC's on our network"
• In reply to: Russ: "Re: Strange Service is showing up on PC's on our network"
• Next in thread: Knight, Jim: "Re: Strange Service is showing up on PC's on our network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]