RE: New Trojan

["David LeBlanc" <dleblanc () Exchange Microsoft com>]

-----Original Message-----
From: Brian Eckman [mailto:eckman () umn edu] 
Sent: Monday, October 27, 2003 1:31 PM
To: Damian Gerow
Cc: incidents () securityfocus com
Subject: Re: New Trojan


> AFAIK, there is *no* method of removal for this trojan, [snip]

It can be "removed" by renaming all instances of rundll32.exe at once, 
so System File Protection won't replace it again. [snip]
----------------------------

Something else to add to your bag of tricks is that WFP won't tamper
with ACLs. So instead of trying to remove or rename executables, re-ACL
them to read, no execute. This can be done remotely without logging in,
assuming you have admin privileges.

This won't help in all cases, but can sometimes be useful. Likewise, if
something insists on putting registry keys back again, take away your
own permission to write to the parent key temporarily (leaving yourself
delete permission), then nuke it. It might even kill the thing by
causing it to take unexpected code paths...

IMHO, a clean reformat and reinstall is always the best way to get rid
of a Trojan, but these techniques might help in some situations.



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------