Security Incidents mailing list archives
RE: New Trojan
From: Lucretia <lucretias () shaw ca>
Date: Mon, 27 Oct 2003 13:48:58 -0700
Correct, you must take steps to remove wscript.exe and cscript.exe otherwise they will remain.
-----Original Message----- From: lsi [mailto:stuart () cyberdelix net] Sent: Monday, October 27, 2003 6:04 AM To: Harlan Carvey Cc: incidents () securityfocus com Subject: Re: New Trojan Hi there,http://patriot.net/~carvdawg/docs/dark_side.htmlExcellent article on ADS, one point. You say Windows Scripting Host started shipping with W2K. However, it is apparently installed by default on Win98SE systems as well (I reinstalled this machine just last week). After reading your article I fired up a command prompt and typed CSCRIPT - this caused the scripting host to appear. Which was odd, because I was sure I had told the installer *not* to install Windows Scripting Host.... So I click Start.. Settings.. Control Panel.. Add and Remove Programs.. Windows Setup.. Accessories.. and sure enough Windows Scripting Host is *NOT* checked. However, CSCRIPT.EXE is in my C:\WINDOWS\COMMAND directory while WSCRIPT.EXE is in my C:\WINDOWS directory anyhow. So I would like to report to you: 1. WSH is shipped with Win98SE as well. 2. telling the installer not to install it does not work. Stuart On 25 Oct 2003 at 10:42, Harlan Carvey wrote: Date sent: Sat, 25 Oct 2003 10:42:41 -0700 (PDT) From: Harlan Carvey <keydet89 () yahoo com> Subject: Re: New Trojan To: incidents () securityfocus comJay,I don't know if this is a new trojan or anything, but I have tried doing some research on the Internet and couldn't find anything on it. Well it has two registry entries in my Run, and RunOnce. Here is the name of both keys acbdhpd and the values are pointing to a file1129 I can not seem to find rundll32 C:\WINNT\system32:acbdhpd.dll,Init 1.Given the colon, it looks like you might have a DLL hidden in an alternate data stream. Is your file system NTFS?I tried killing my explorer.exe to see if that is reason I can't find it because I am most likely using a trojanized explorer.exe,I'm curious about that statement, given that you really don't have anything to base it on.but I could only find a copy in my temp, I delete through DOS and delete the registry entries to no success, the registry keys appear within 30 seconds and the file pops right back up.What file? I thought you said you couldn't see anything, so what file is popping right back up?Anybody seen this or can give me some help to get this out without reloading? It has also opened up two TCP, 3799, and 41225 and two UDP ports, 1129, 1241. ThanksHow have you determined this? What tool are you using to determine that this particular issue is opening those ports, and they're not being opened by some other process? In a nutshell, it looks as if you've got something on your system, but it's hidden in an alternate data stream. I'm willing to help, you can get me as "carvdawg" on AIM and "keydet89" on Yahoo Messenger.------------------------------------------------------------------ ---------Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4.------------------------------------------------------------------ ---------- -- Stuart Udall stuart at cyberdelix dot net - http://www.cyberdelix.net/ ..revolution through evolution want to make some cash? check out http://cyberdelix.net/affiliates.htm ------------------------------------------------------------------ --------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ------------------------------------------------------------------ ----------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- New Trojan Jay Castaldo (Oct 25)
- Re: New Trojan Harlan Carvey (Oct 25)
- Re: New Trojan lsi (Oct 27)
- RE: New Trojan Lucretia (Oct 28)
- RE: New Trojan Harlan Carvey (Oct 27)
- Re: New Trojan lsi (Oct 27)
- Re: New Trojan Harlan Carvey (Oct 25)
- RE: New Trojan Rob Shein (Oct 25)
- RE: New Trojan Tiago Halm (Oct 26)
- Re: New Trojan Damian Gerow (Oct 27)
- RE: New Trojan Rob Shein (Oct 28)
- Re: New Trojan Damian Gerow (Oct 28)
- Re: New Trojan Brian Eckman (Oct 28)
- Re: New Trojan Damian Gerow (Oct 28)
- Re: New Trojan Damian Gerow (Oct 28)
- Re: New Trojan Russell Fulton (Oct 28)
- RE: New Trojan Rob Shein (Oct 28)