Trojan modifying ntdll.dll and cmd.exe

From: Eric Greenberg (eric_at_netframeworks.com)
Date: 05/15/03

  • Next message: Mark Bainter: "New intrusion script?" 
    To: <incidents@securityfocus.com>
Date: Thu, 15 May 2003 17:33:20 -0400

    We have encountered a trojan that has modified both cmd.exe and
    ntdll.dll on a Windows 2000 machine. The files failed our CRC check
    (TDS was used for this, these out of 29 CRC-checked files were flagged
    as modified and Windows also flagged it). It was installed on a well
    protected machine (behind a firewall, zone alarm, Norton anti-virus,
    locked-down) and believe the application installing it was either a
    vendor-installed patch this morning (we have notified the vendor and
    are getting their feedback and verifying) or through a web-based IE
    exploit on a fully patched IE installation. No email attachments were
    opened on this machine, etc, that would have caused the infection Has
    anyone on this list encountered a trojan specifically targetting BOTH of
    these files? Clearly many target cmd.exe and both (cmd.exe and
    ntdll.dll) are great candidates for modification by a hacker. Cmd.exe
    has of course been swapped-out since the beginning of time. We'd like to
    learn more about the signature of this particular one.

    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------

  • Next message: Mark Bainter: "New intrusion script?"

    Relevant Pages

    • RE: Possible Virus or Trojan?
      ... It states that the Trojan ... virus came from Windows Update. ... I have tried installing the UPnP Client and then ...
      (microsoft.public.windowsxp.general)
    • RE: Possible Virus or Trojan?
      ... It states that the Trojan ... virus came from Windows Update. ... I have tried installing the UPnP Client and then ...
      (microsoft.public.windowsxp.perform_maintain)
    • RE: Possible Virus or Trojan?
      ... It states that the Trojan ... virus came from Windows Update. ... I have tried installing the UPnP Client and then ...
      (microsoft.public.windowsxp.security_admin)
    • RE: Possible Virus or Trojan?
      ... It states that the Trojan ... virus came from Windows Update. ... I have tried installing the UPnP Client and then ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: Trojan modifying ntdll.dll and cmd.exe
      ... > as modified and Windows also flagged it). ... > locked-down) and believe the application installing ... Clearly many target cmd.exe and both ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Incidents)
    Loading