Security Incidents mailing list archives

Sub7 (SubSeven), Win2k, and IE 5.5

From: "Kirk Schafer" <jogglie () excite com>
Date: Wed, 20 Mar 2002 14:39:53 -0500 (EST)


Hi all, 

--- Note, I wrote this last week. If the list finally accepts it this time, please backdate the content several days ---

I ran a search of the two groups I'm submitting to and found nothing. Within the last couple of days, my Windows 2000 
Pro Workstation had Sub7 placed in the \WINNT\SYSTEM32 folder, as well as the "Run" registry key. It never installed, 
because my system caught it. Since I am running the latest patches (as of two days ago, according to HFNETCHK), and I 
have a full scale corporate AntiVirus product active and installed, I can't imagine how this sucker ended up on my hard 
drive. It was detected upon a reboot and login - somehow previously circumnavigating NAV CE's RealTime protection - by 
the logs, it WAS ACTIVE. I don't have any world-accessable shares, and I am behind a stealth firewall NAT with 
non-routable IP's, and no NETBIOS routing. It is also not possible to disable NAV from the workstation - it's centrally 
managed, and frighteningly current. 

The only thing I can figure is that someone figured out how to drop files from IE 5.5 (with all the latest patches) 
from script but it isn't world-pervasive yet. Also, a month ago, a colleague was browsing the web, downloading Word 
files, and the exact same thing happened - the user saved from their "protected" station to a NetWare server, and 
(potentially) via some scripting, NAV's RealTime protection was skipped (although that protection was running - an hour 
later, it was found by the very same person when they accessed the file normally. Seems to point to IE again). Our 
trusted sites (zones) are well managed, and well, we're pretty well off. 

Has anyone had similar experiences over the last week or month? 

Thanks, 
Kirk 


------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Sub7 (SubSeven), Win2k, and IE 5.5 Kirk Schafer (Mar 20)
- Re: Sub7 (SubSeven), Win2k, and IE 5.5 H C (Mar 20)