RE: New Trojan

From: David LeBlanc (dleblanc_at_Exchange.Microsoft.com)
Date: 10/29/03

  • Next message: Mark E. Donaldson: "RE: Probable Trojan." 
    Date: Tue, 28 Oct 2003 18:51:10 -0800
To: "Brian Eckman" <eckman@umn.edu>, "Damian Gerow" <damian@sentex.net>

    -----Original Message-----
    From: Brian Eckman [mailto:eckman@umn.edu]
    Sent: Monday, October 27, 2003 1:31 PM
    To: Damian Gerow
    Cc: incidents@securityfocus.com
    Subject: Re: New Trojan

    > AFAIK, there is *no* method of removal for this trojan, [snip]

    It can be "removed" by renaming all instances of rundll32.exe at once,
    so System File Protection won't replace it again. [snip]
    ----------------------------

    Something else to add to your bag of tricks is that WFP won't tamper
    with ACLs. So instead of trying to remove or rename executables, re-ACL
    them to read, no execute. This can be done remotely without logging in,
    assuming you have admin privileges.

    This won't help in all cases, but can sometimes be useful. Likewise, if
    something insists on putting registry keys back again, take away your
    own permission to write to the parent key temporarily (leaving yourself
    delete permission), then nuke it. It might even kill the thing by
    causing it to take unexpected code paths...

    IMHO, a clean reformat and reinstall is always the best way to get rid
    of a Trojan, but these techniques might help in some situations.

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Mark E. Donaldson: "RE: Probable Trojan."

    Relevant Pages

    • RE: New Trojan
      ... Subject: New Trojan ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • Re: strange ftp site
      ... >Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ... Learn more or register at ... >and use priority code SF4. ...
      (Incidents)
    • RE: New Trojan
      ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ... Learn more or register at ... and use priority code SF4. ...
      (Incidents)
    • RE: clients TCP port 256 hammered by several hosts
      ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ... Learn more or register at ... and use priority code SF4. ...
      (Incidents)
    • RE: Large increase in port 27347
      ... Network Administrator ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ... and use priority code SF4. ...
      (Incidents)
    • Quantcast