Security Basics mailing list archives
Re: AV removal malware
From: Jimi Thompson <jimit () myrealbox com>
Date: Tue, 9 Sep 2003 20:43:34 -0500
I know it's obvious, but I have to ask. Just for grins, have you tried reinstalling the AV software? I've seen end users uninstall it deliberately because "it slows my system down". Will they confess to it? NEVER! Then they want to complain because they get a virus *SIGH* Another thing to try might be virus scanning from one of the vendors that offers a bootable virus product (F-prot, etc.) and see if the machine can be cleaned up that way.
I work for a university and we've seen a couple of things come through recently that tamper with anti-virus software. One even puts itself in the "exclusion" list, so that it isn't scanned.
HTH, Jimi download an app like "Penguin Sleuth Bootable CD" so you can view the mounted drive without fear of infecting anything further and recover any data the user needs. http://www.linux-forensics.com/ (scan with AV after data is recovered) then I would re-roll the machine with a new image and return it to the user. It would take less time, unless it's mandatory you provide a reason why the machine is hosed. On Fri, 2003-09-05 at 17:06, SMiller () unimin com wrote:
I'm working on a machine that has boot problems (20+ minutes for Win2K "normal" boot, both safe modes freeze) When the machine finally booted I saw that our AV product (eTrust 6) was gone. And I don't mean non-functional, I mean vanished. No entries in Add/Remove programs, no folders or files remain under Program Files or anywhere else I've looked. I didn't get a chance to examine the registry before I rebooted, will do so Monday (when I will also examine bootlog.txt). My question is whether anyone here has run into an infection that attempts to remove antivirus products that is this effective and polished. The few of those that I have seen close up have merely made crude and generally unsuccessful attempts to mess with registry keys. I suspect that the user or someone else with access to the machine actually removed the eTrust product, after which the machine may have become infected. Event Viewer no longer works, which also doesn't help forensics. Thoughts? Scott Miller --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com----------------------------------------------------------------------------
--------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ---------------------------------------------------------------------------- ---------------------------------------------------------------------------Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------
Current thread:
- AV removal malware SMiller (Sep 05)
- Re: AV removal malware Dave (Sep 08)
- <Possible follow-ups>
- Re: AV removal malware Jimi Thompson (Sep 10)