Re: Trojan.Lodear.B/Trojan.Lodav.A
From: Brad Spangler (brad_spangler_at_yahoo.com)
Date: 11/16/05
- Previous message: Chris Davis: "Re: CISCO ACLs.. Are there lists already out there to protect me from trojans and known bad sites?"
- In reply to: Joe George: "Trojan.Lodear.B/Trojan.Lodav.A"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Nov 2005 23:26:02 -0600 To: security-basics@securityfocus.com
Since UnHookExec.inf is supposed to reset everything in the registry to
default settings and you're *still* not able to access the registry,
it's apparent that the full extent of the compromise hasn't been
discovered yet.
Since the full extent of the compromise hasn't been discovered, one
can't be confident that any set of steps to address the compromise will
be adequate -- save for a full rebuild.
Why? You're dealing with unknown issues. If you can't find a way to make
those unknowns into knowns, then the only reasonable course of action is
to make sure no malware could possibly survive.
As a matter of fact, I'd even be a little *more* paranoid than normal,
since you literally don't know the full extent of what you're dealing
with (beyond the known trojan itself).
Here's what I'd do:
1) Shut the Windows machine down
2) Boot the workstation off any Linux LiveCD that can read NTFS (Knoppix
should do the trick)
3) Use that to rescue the user files off the system.
4) Wipe the whole hard drive on the compromised workstation -- every
single cluster.
5) Scan the user files with an up to date AV tool on a non-Windows
machine before allowing them to be used in setting up a new or rebuilt
Windows workstation for the user.
"Nuke it from orbit! It's the only way to be sure!" -- Aliens
Joe George wrote:
> Hi all,
>
> I have a workstation that was compromised by the Trojan mentioned in the
> subject, after the end user opened an infected .ZIP file. I followed the
> instructions Symantec recommended. I used their removal tool because I
> was not able to access the registry. I also installed the
> UnHookExec.inf in an attempt to reset the shell/open/command reg keys,
> per the article. I was still not able to access the registry. I ran
> the removal tool several times in normal and in safe mode and each time
> it would detect and terminate the Trojan process running in
> explorer.exe. Before one removal tool run, I ran Winternals Process
> Explorer, but nothing was found. I ran two anti-virus scans but did not
> find anything after the initial detection. Is there anything that I
> have not tried that someone can suggest? I'm about ready to run a repair
> on Windows, but not ready to rebuild, as I am concerned there maybe more
> workstations that have been just as compromised.
>
> Thanks in advance.
>
> --
> Joe George
> IT Janitor
> x349
>
>
>
- Previous message: Chris Davis: "Re: CISCO ACLs.. Are there lists already out there to protect me from trojans and known bad sites?"
- In reply to: Joe George: "Trojan.Lodear.B/Trojan.Lodav.A"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
