[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SPAM] RE: [Full-Disclosure] interesting trojan found

To: "Todd Towles" <toddtowles@xxxxxxxxxxxxxxx>
Subject: Re: [SPAM] RE: [Full-Disclosure] interesting trojan found
From: James Riden <j.riden@xxxxxxxxxxxx>
Date: Fri, 22 Oct 2004 08:47:53 +1300

"Todd Towles" <toddtowles@xxxxxxxxxxxxxxx> writes:

> But if it is a rootkit, does it not hide from normal AV scanning?  

The Rxbot/Spybot variant that I've seen recently had a couple of
startup hooks in the registry - "blah service" and value was
"xaxe.exe" or "bling.exe". It made no real effort to hide, and could
be removed by deleting startup keys, rebooting and then deleting the
file in system32 - no serious attempt at hiding.

cheers,
 Jamie
-- 
James Riden / j.riden@xxxxxxxxxxxx / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [SPAM] RE: [Full-Disclosure] interesting trojan found
  - From: Todd Towles

Prev by Date: Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?
Next by Date: Re: [in] Re: [Full-Disclosure] Will a vote for John Kerry be counted by a Hart InterCivic eSlate3000 in Honolulu?
Previous by thread: RE: [SPAM] RE: [Full-Disclosure] interesting trojan found
Next by thread: SV: [SPAM] RE: [Full-Disclosure] interesting trojan found
Index(es):
- Date
- Thread