[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] tvm.exe / poll each.exe / blehdefyreal toolbar
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] tvm.exe / poll each.exe / blehdefyreal toolbar
- From: Harlan Carvey <keydet89@xxxxxxxxx>
- Date: Wed, 9 Jun 2004 10:39:51 -0700 (PDT)
Mark,
> The idea here is to learn something from it.
> Reformatting the system is
> a good idea, but before that takes place it'd be
> nice to learn what the
> thing actually is and how it works.
"Once you understand the nature of a thing, you know
what it's capable of." - Blade
> This thing respawns itself without a reboot. Loading
> Tiny Personal
> Firewall apparently prevents it from respawning. TPF
> does something
> about preventing code from being injected into a
> process, so maybe
> that's why TPF keeps it at bay.
Ok, so it performs DLL injection. Does the user
account being used on the system have the privilege to
debug programs?
> This isn't on any system I use or manage. It's on a
> collegue's system
> and I am trying to help find a way to figure out
> what it does, how to
> get it shut down permanently, removed if possible.
I'll provide some input on this. First, run several
tools to get information from the
system...pslist/tlist/handle/listdlls to get process
information, openports to get process-to-port mapping
info (use both '-netstat' and '-fport' switches).
Check the usual Registry entries where this stuff
likes to hide...map unusual entries there to DLLs
injected into processes, if this is what's happening...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html