Re: Probable Trojan.
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 10/28/03
- Previous message: Damian Gerow: "Re: New Trojan"
- In reply to: Brian Eckman: "Re: Probable Trojan."
- Next in thread: debrasuz_at_ctmail.ummu.umich.edu: "Re: Probable Trojan."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Oct 2003 11:17:09 -0800 (PST) To: incidents@securityfocus.com
For checking startup locations, I'd recommend AutoRuns
from SysInternals and AutoStart Viewer from DiamondCS.
--- Brian Eckman <eckman@umn.edu> wrote:
> Gene wrote:
> >
> > Have a buddy complaining about his AOL account
> password being stolen every time he logs onto AOL
> from his PC at work. I talked him through doing an
> fport on his box and he sent me the results:
>
> <snip>
>
> I wouldn't worry about services listening on the
> machine as much as what
> is running at startup. A keylogger or other password
> stealer has no need
> to listen on a port. It would more likely phone home
> as needed.
>
> Based on your FPort results, I assume it's Windows
> 2000, which doesn't
> ship with MSCONFIG.EXE. I'd personally grab a copy
> of MSCONFIG.EXE from
> a Windows XP box and run it on the machine to get a
> quick glance at most
> places that malware run from to load when Windows
> starts up.
> (Disclaimer: I have a site license for Windows
> upgrades and therefore
> what I propose above should be legal in my
> workplace. Your mileage may
> vary.)
>
> I know, I know, MSCONFIG doesn't show every piece of
> code that launches
> at startup, and you can manually go to each location
> it checks to see
> what is running. It's just a really quick way to
> check the usual suspects...
>
> Brian
>
> --
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> 612-626-7737
>
> "There are 10 types of people in this world. Those
> who
> understand binary and those who don't."
>
>
>
---------------------------------------------------------------------------
> Network with over 10,000 of the brightest minds in
> information security
> at the largest, most highly-anticipated industry
> event of the year.
> Don't miss RSA Conference 2004! Choose from over 200
> class sessions and
> see demos from more than 250 industry vendors. If
> your job touches
> security, you need to be here. Learn more or
> register at
>
http://www.securityfocus.com/sponsor/RSA_incidents_031023
> and use priority code SF4.
>
----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
- Previous message: Damian Gerow: "Re: New Trojan"
- In reply to: Brian Eckman: "Re: Probable Trojan."
- Next in thread: debrasuz_at_ctmail.ummu.umich.edu: "Re: Probable Trojan."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
