"Todd Towles" <[EMAIL PROTECTED]> writes:
> But if it is a rootkit, does it not hide from normal AV scanning?
The Rxbot/Spybot variant that I've seen recently had a couple of
startup hooks in the registry - "blah service" and value was
"xaxe.exe" or "bling.exe". It made no real effort to hide,
L PROTECTED]
> Sent: Thursday, October 21, 2004 11:33 AM
> To: Todd Towles; [EMAIL PROTECTED]
> Subject: SV: [SPAM] RE: [Full-Disclosure] interesting trojan found
>
> Hi Todd,
>
> >But if it is a rootkit, does it not hide from normal AV scanning?
>
> Nope, you'
Hi Todd,
>But if it is a rootkit, does it not hide from normal AV scanning?
Nope, you'll see it in the systemprocess, but since it's active in memory,
you won't be able to end it.
The trojan is a RDBot variant (Spybot). Like other variants, from this
string, it spreads across local and remote ne
hi,
>But if it is a rootkit, does it not hide from normal AV scanning?
It's more like a worm. But it hides its presence in the file
system, when it's active - dirlist doesn't show it, so you can't
scan it like a file.
all the best,
W.
--
_
Re: [SPAM] RE: [Full-Disclosure] interesting trojan found
>
> On Wed, 20 Oct 2004, Richard Stevens wrote:
>
> > http://81.101.19.177/logon.zip
>
> F-PROT ANTIVIRUS
> Program version: 4.4.7
> Engine version: 3.14.13
> LOGON.EXE is a security risk named W32/Spybot.BCM
>
Title: [Full-Disclosure] interesting trojan found
On Wednesday 20 October 2004 11:51 am, Richard Stevens wrote:
> A client had a problem home PC, after removal of all the usual
> spyware, adware and 6 month old viruses,
>
> there remained an unusual process in the process lis
On Wed, 20 Oct 2004, Richard Stevens wrote:
> http://81.101.19.177/logon.zip
F-PROT ANTIVIRUS
Program version: 4.4.7
Engine version: 3.14.13
LOGON.EXE is a security risk named W32/Spybot.BCM
ClamAV does not recognize it yet. (But it is is the queue as Submission
number 6278.)
Hugo.
--
Thanks to all that have mailed regarding this malware,
I really wasnt expecting such a large response, and have made the file available from
the web as it will probably be a day or two before I can reply to any more mails.
Thanks for all the suggestions & advice regarding deleting the file. I'
I'm fairly sure you can delete it after mounting the partition in either
Minix or Knoppix.
> From: Richard Stevens <[EMAIL PROTECTED]>
> Date: Wed, 20 Oct 2004 17:37:26 +0100
> To: <[EMAIL PROTECTED]>
> Subject: [Full-Disclosure] interesting trojan found
>
>
[EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Danny
> Sent: Wednesday, October 20, 2004 1:10 PM
> To: Richard Stevens
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] interesting trojan found
>
> On Wed, 20 Oct 2004 17:51:26 +0100, Richard Stevens
On Wed, 20 Oct 2004 17:51:26 +0100, Richard Stevens
<[EMAIL PROTECTED]> wrote:
> b: anyone know a free boot disk that both reads & writes to NTFS, so I can delete it!
If you have a CD-ROM, http://www.nu2.nu/pebuilder/.
...D
___
Full-Disclosure - We
You could get a knoppix disk that has ntfs r/w compiled in and use it.
defiance
On Wednesday 20 October 2004 11:51 am, Richard Stevens wrote:
> A client had a problem home PC, after removal of all the usual spyware,
> adware and 6 month old viruses,
>
> there remained an unusual process in the pr
A client had a problem home PC, after removal of all the usual spyware, adware and 6
month old viruses,
there remained an unusual process in the process list, logon.exe, which
Process Explorer pointed to it being from c:\windows\system32\logon.exe
it tries to connect to a singnet ip address
A client had a problem home PC, after removal of all the usual spyware, adware and 6
month old viruses,
there remained an unusual process in the process list, logon.exe, which
Process Explorer pointed to it being from c:\windows\system32\logon.exe
it tries to connect to a singnet ip address o
14 matches
Mail list logo