Re: New Trojan

From: Brian Eckman (eckman_at_umn.edu)
Date: 10/27/03

  • Next message: Damian Gerow: "Re: New Trojan" 
    Date: Mon, 27 Oct 2003 15:30:47 -0600
To: Damian Gerow <damian@sentex.net>

    > AFAIK, there is *no* method of removal for this trojan, due to its way of
    > infection. Some have speculated that there is an option for removal within
    > the trojan, but I have no confirmation of this -- try running strings on the
    > DLL, and see if you can find anything in there (i.e. grep for 'remov',
    > 'instal').

    It can be "removed" by renaming all instances of rundll32.exe at once,
    so System File Protection won't replace it again. Then reboot and remove
    it from starting up in the registry and, if you're paranoid, overwrite
    the ADS stream with benign text. Then rename rundll32.exe back again.

    It should be also removable by unregistering the DLL then deleting the
    registry entry, as was mentioned earlier in this thread. I haven't tried
    it though.

    Brian 

    -- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737
"There are 10 types of people in this world. Those who
understand binary and those who don't."
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
  • Next message: Damian Gerow: "Re: New Trojan"

    Relevant Pages

    • RE: Extracting NT password hashes from registry export file
      ... Extracting NT password hashes from registry export file ... This list is provided by the SecurityFocus Security Intelligence Alert Service. ...
      (Pen-Test)
    • [NT] Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Management Console snap in, the System Attendant makes ... changes to the permissions on the Windows Registry to allow Exchange ... There is a flaw in how the System Attendant makes these Registry ...
      (Securiteam)
    • Re: CEH and Intense School
      ... > You want more than 4 to know the bugs are ironed out in labs and so on. ... > Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Pen-Test)
    • [NT] NoHTML Built-in Outlook 2002 Feature Protects Against Malicious Code
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... non-encrypted e-mail in plain text format. ... guarantee that problems resulting from the incorrect use of Registry ... For information about how to edit the registry, ...
      (Securiteam)
    • Re: Minimum NTFS Permissions on the SystemDrive
      ... File system and registry access control list modifications ... Microsoft Windows XP and Microsoft Windows Server 2003 have considerably ... You can no longer use the Anonymous security ... Additional ACL changes may invalidate all or most of the application ...
      (microsoft.public.windows.server.security)