Security Basics mailing list archives
VS: AV removal malware
From: "Lindström Carl-Erich, Polarteknik" <carl-erich.lindstrom () polarteknik com>
Date: Mon, 8 Sep 2003 09:11:55 +0300
Hi. One of my frends found bugbear in hes machine last week, and zone alarm was gone. Only two empty folders left. Os was Millenium Edition, because he format hard drives, i don't know, if there was anything else. -----Alkuperäinen viesti----- Lähettäjä: SMiller () unimin com [mailto:SMiller () unimin com] Lähetetty: Friday, September 05, 2003 2:06 PM Vastaanottaja: Security-Basics Aihe: AV removal malware I'm working on a machine that has boot problems (20+ minutes for Win2K "normal" boot, both safe modes freeze) When the machine finally booted I saw that our AV product (eTrust 6) was gone. And I don't mean non-functional, I mean vanished. No entries in Add/Remove programs, no folders or files remain under Program Files or anywhere else I've looked. I didn't get a chance to examine the registry before I rebooted, will do so Monday (when I will also examine bootlog.txt). My question is whether anyone here has run into an infection that attempts to remove antivirus products that is this effective and polished. The few of those that I have seen close up have merely made crude and generally unsuccessful attempts to mess with registry keys. I suspect that the user or someone else with access to the machine actually removed the eTrust product, after which the machine may have become infected. Event Viewer no longer works, which also doesn't help forensics. Thoughts? Scott Miller --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ---------------------------------------------------------------------------- ########################################### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com/ --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- VS: AV removal malware Lindström Carl-Erich, Polarteknik (Sep 08)