Re: Sub7 (SubSeven), Win2k, and IE 5.5

From: H C (keydet89@yahoo.com)
Date: 03/20/02 

Date: Wed, 20 Mar 2002 13:27:39 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: jogglie@excite.com, focus-ms@securityfocus.com, incidents@securityfocus.com

Kirk,

A couple of questions, if you don't mind...

> Within the last couple of days,
> my Windows 2000 Pro Workstation had Sub7 placed in
> the \WINNT\SYSTEM32 folder, as well as the "Run"
> registry key. It never installed, because my system
> caught it.

When you say your "system caught it", are you
referring to the A/V software? I'm curious as to the
specifics of this, as I've written several articles
and papers regarding how to protect against this sort
of thing by using the DACLs and SACLs available on the
system itself, in addition to A/V products.

> It was detected upon a reboot and
> login - somehow previously circumnavigating NAV CE's
> RealTime protection - by the logs, it WAS ACTIVE.

What logs are you referring to? EventLogs? If so,
what entries are you referring to? Did you have
auditing for Process Tracking enabled?

I've never seen what you've described...a well-known
trojan making it onto a system, passed all of the
security measures you describe, as well as realtime
A/V protection. I'd be interested in hearing more
about the situation. Particularly, aside from the A/V
software and HotFixes, what other security measures
were circumvented? Did you happen to run PULIST.EXE
to determine the owner of the process? Was the trojan
listening on the default port?

Also, if you still have a copy of the .exe file, would
you be willing to zip it up and send it to me?

Thanks

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning
    ... malicious files by the way ... Is it possible you've only been talking to A/V vendors? ... I find it entirely plausible that there is such a consensus among A/V ... but I'm pretty skeptical that the rest of the security community ...
    (Linux-Kernel)
  • Re: "Windows Security Center Services cant be started"
    ... Once installed, Norton A/V, MacAfee as well as Symantec A/V are extremely difficult to remove. ... use your backup to restore the system to a configuration prior to the A/V installation. ... Check on the internet for cases where others have, post apocalyptically, found them selves in similar circumstances when desiring or are forced to remove These invasive security program. ... couldnt able to unistall the 'McAfee Security Center' and the 'Windows ...
    (microsoft.public.windows.vista.security)
  • Re: wallpapers4u.com!
    ... > permissions, XP firewall and security center disabled, and no A/V or ... > anti-spyware running..... ...
    (comp.sys.mac.advocacy)
  • Re: wallpapers4u.com!
    ... > permissions, XP firewall and security center disabled, and no A/V or ... > anti-spyware running..... ...
    (comp.sys.mac.advocacy)
  • Re: receive but cannot send email
    ... Yes, thanks Bruce. ... same A/V work fine. ... Turn off e-mail scanning in your anti-virus program. ... of protection that eats up CPUs, slows down sending and receiving, and ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)