RE: Strange servicepack.exe file (not service.exe) found.

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 12/17/03

Next message: Shad Williams: "Re: Need two files for testing"

Previous message: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
In reply to: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
Next in thread: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
Reply: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 17 Dec 2003 11:17:53 -0800 (PST)
To: incidents@securityfocus.com

James,

> How fun is this, though - Symantec's response today
> says the file contains
> no malicious code. So nothing ever happened on the
> machine that had to be rebuilt. Hmmmm.

From what I've seen (online, in courses, at work, etc)
this seems to be indicative of the state of incident
response in the Windows world. Rather than developing
a methodolgy, or employing one of the many that are
already available, most organizations seem to prefer
to sink time and effort into rebuilding systems...even
if it may ultimately prove unnecessary.

> Of course the servicepack.exe file could have been a
> downloaded byproduct of
> another infection on the affected machine.

May have been...but one will never know. And if there
had been an "infection", it may have been something as
innocuous as simple spyware, rather than a worm
infection or a full out compromise.

Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Shad Williams: "Re: Need two files for testing"

Previous message: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
In reply to: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
Next in thread: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
Reply: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Browser closes unexpectedly
... Stu wrote: ... is kept updated daily and the last update was yesterday when I rebuilt the ... since expired and/or the machine's not been kept fully-patched at Windows ...
(microsoft.public.windows.inetexplorer.ie6.browser)
RE: Strange servicepack.exe file (not service.exe) found.
... >> byproduct of another infection on the affected machine. ... > compromise. ... rest of the network or if it was communicating outside the LAN. ... Plus it would really be silly if machine gets rebuilt when a reboot might ...
(Incidents)
Re: System File Restore
... Your courses of action here are: a) identify the infection and remove it; or 2) erase the hard disk and start over. ... I have XP SP2 on CD and would like to extract them from the CAB files. ... System Restore is not an option because the customer disabled it. ...
(microsoft.public.windowsxp.help_and_support)