Re: New Trojan
From: Damian Gerow (damian_at_sentex.net)
Date: 10/27/03
- Previous message: Rob Shein: "RE: New Trojan"
- Maybe in reply to: Jay Castaldo: "New Trojan"
- Next in thread: Damian Gerow: "Re: New Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Oct 2003 16:39:42 -0500 To: Brian Eckman <eckman@umn.edu>
Thus spake Brian Eckman (eckman@umn.edu) [27/10/03 16:31]:
> >AFAIK, there is *no* method of removal for this trojan, due to its way of
> >infection. Some have speculated that there is an option for removal within
> >the trojan, but I have no confirmation of this -- try running strings on
> >the
> >DLL, and see if you can find anything in there (i.e. grep for 'remov',
> >'instal').
>
> It can be "removed" by renaming all instances of rundll32.exe at once,
> so System File Protection won't replace it again. Then reboot and remove
> it from starting up in the registry and, if you're paranoid, overwrite
> the ADS stream with benign text. Then rename rundll32.exe back again.
>
> It should be also removable by unregistering the DLL then deleting the
> registry entry, as was mentioned earlier in this thread. I haven't tried
> it though.
It can also be 'removed' by booting off of a floppy disk or recovery CD,
deleting the DLL, then starting normally.
I should clarify what I was saying: I can probably remove it, and most of
you (I'm sure) can probably remove it. But we're an ISP, so I can't
honestly expect that even a significant portion of our customers -- let
alone those who become infected -- will know how to remove it. Which is the
reason for a format-reinstall.
This also drives home the point that security *does* matter, they *do* need
to do Windows Update, and they *can't* get clickyitis when it comes to
e-mail.
- Damian
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
- Previous message: Rob Shein: "RE: New Trojan"
- Maybe in reply to: Jay Castaldo: "New Trojan"
- Next in thread: Damian Gerow: "Re: New Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
