Re: Probable Trojan.
From: Brian Eckman (eckman_at_umn.edu)
Date: 10/28/03
- Previous message: Damian Gerow: "Re: New Trojan"
- In reply to: Gene: "Probable Trojan."
- Next in thread: Harlan Carvey: "Re: Probable Trojan."
- Reply: Harlan Carvey: "Re: Probable Trojan."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Oct 2003 10:04:04 -0600 To: Gene <flyersfanindc@yahoo.com>
Gene wrote:
>
> Have a buddy complaining about his AOL account password being stolen every time he logs onto AOL from his PC at work. I talked him through doing an fport on his box and he sent me the results:
<snip>
I wouldn't worry about services listening on the machine as much as what
is running at startup. A keylogger or other password stealer has no need
to listen on a port. It would more likely phone home as needed.
Based on your FPort results, I assume it's Windows 2000, which doesn't
ship with MSCONFIG.EXE. I'd personally grab a copy of MSCONFIG.EXE from
a Windows XP box and run it on the machine to get a quick glance at most
places that malware run from to load when Windows starts up.
(Disclaimer: I have a site license for Windows upgrades and therefore
what I propose above should be legal in my workplace. Your mileage may
vary.)
I know, I know, MSCONFIG doesn't show every piece of code that launches
at startup, and you can manually go to each location it checks to see
what is running. It's just a really quick way to check the usual suspects...
Brian
-- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't." --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
- Previous message: Damian Gerow: "Re: New Trojan"
- In reply to: Gene: "Probable Trojan."
- Next in thread: Harlan Carvey: "Re: Probable Trojan."
- Reply: Harlan Carvey: "Re: Probable Trojan."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
