RE: Strange servicepack.exe file (not service.exe) found.
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 12/18/03
- Previous message: Rob Shein: "RE: Strange servicepack.exe file (not service.exe) found."
- In reply to: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
- Next in thread: David Gillett: "RE: Strange servicepack.exe file (not service.exe) found."
- Reply: David Gillett: "RE: Strange servicepack.exe file (not service.exe) found."
- Reply: Lucretia: "RE: Strange servicepack.exe file (not service.exe) found."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Dec 2003 16:20:03 -0800 (PST) To: incidents@securityfocus.com
James,
> To be fair to the original poster, in hindsight
> there was reasonable
> association from other posts between the suspect
> file and some complex
> adware that downloads arbitrary additional
> components and takes aggressive
> actions like installing porno dialers similar to
> what was found.
You're mixing terminology. In my experience, and I do
have quite a bit of experience w/ adware and spyware,
these things are annoying, yes, but hardly aggressive.
And complex is being...well...generous.
I saw the response from Symantec on the item. I also
downloaded the file, and scanned it with the most
recent defs for NAV...and got nothing.
> Rebuilding
> might take less than an hour, while investigation
> and cleanup might take a little more.
The short term fix may be preferable...but investing a
little bit of time in determining the initial
"infection" vector might save a good deal of time in
"cleaning up" other systems.
> Recovery takes less skill and often less time than
> forensics. That makes it
> a positive thing provided one investigated enough to
> know that recovery
> eliminates any damage that might have occurred.
Hhhmmm...again, perhaps in the short term - but not in
the long run.
> The downside as you say is one will never know. The
> "infection" vector might
> not be determined until it happens again. And it
> would sure be nice to know
> if the afflicted (if not infected) machine was
> trying to do anything to the
> rest of the network or if it was communicating
> outside the LAN.
And to be quite honest, it doesn't really take a great
deal of time or skill to do these things. It simply
takes a bit of time invested in learning to do it.
> It is important to know what the machine did while
> it was in a suspect
> state, if possible. The rebuild doesn't help enough
> if, for example, network
> passwords were compromised.
Very true.
> Plus it would really be silly if machine gets
> rebuilt when a reboot might
> have sufficed.
Yep. However, I believe that the argument amongst
Windows admins will continue to favor rebuilding will
continue for the time being...however unfortunate that
may be.
Harlan
Harlan
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Rob Shein: "RE: Strange servicepack.exe file (not service.exe) found."
- In reply to: James C Slora Jr: "RE: Strange servicepack.exe file (not service.exe) found."
- Next in thread: David Gillett: "RE: Strange servicepack.exe file (not service.exe) found."
- Reply: David Gillett: "RE: Strange servicepack.exe file (not service.exe) found."
- Reply: Lucretia: "RE: Strange servicepack.exe file (not service.exe) found."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
