Re: AV removal malware

From: Dave (update_at_dsrtech.com)
Date: 09/06/03

  • Next message: Tim Ballingall: "RE: CISSPS preparation" 
    To: Security-Basics <security-basics@securityfocus.com>
Date: Fri, 05 Sep 2003 21:27:39 -0400

    download an app like "Penguin Sleuth Bootable CD" so you can view the
    mounted drive without fear of infecting anything further and recover any
    data the user needs. http://www.linux-forensics.com/
    (scan with AV after data is recovered)

    then I would re-roll the machine with a new image and return it to the
    user. It would take less time, unless it's mandatory you provide a
    reason why the machine is hosed.

    On Fri, 2003-09-05 at 17:06, SMiller@unimin.com wrote:
    > I'm working on a machine that has boot problems (20+ minutes for Win2K
    > "normal" boot, both safe modes freeze) When the machine finally booted I
    > saw that our AV product (eTrust 6) was gone. And I don't mean
    > non-functional, I mean vanished. No entries in Add/Remove programs, no
    > folders or files remain under Program Files or anywhere else I've looked.
    > I didn't get a chance to examine the registry before I rebooted, will do so
    > Monday (when I will also examine bootlog.txt). My question is whether
    > anyone here has run into an infection that attempts to remove antivirus
    > products that is this effective and polished. The few of those that I have
    > seen close up have merely made crude and generally unsuccessful attempts to
    > mess with registry keys. I suspect that the user or someone else with
    > access to the machine actually removed the eTrust product, after which the
    > machine may have become infected. Event Viewer no longer works, which also
    > doesn't help forensics. Thoughts?
    >
    > Scott Miller
    >
    >
    >
    > ---------------------------------------------------------------------------
    > Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    > technical IT security event. Modeled after the famous Black Hat event in
    > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    > Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    > ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Captus Networks
    Are you prepared for the next Sobig & Blaster?
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Precisely Define and Implement Network Security
     - Automatically Control P2P, IM and Spam Traffic
    FIND OUT NOW - FREE Vulnerability Assessment Toolkit
    http://www.captusnetworks.com/ads/42.htm
    ----------------------------------------------------------------------------

  • Next message: Tim Ballingall: "RE: CISSPS preparation"
    Loading