VS: AV removal malware

["Lindström Carl-Erich, Polarteknik" <carl-erich.lindstrom () polarteknik com>]

Hi.

One of my frends found bugbear in hes machine last week, and zone alarm was
gone.
Only two empty folders left.
Os was Millenium Edition, because he format hard drives, i don't know, if
there was anything else.

-----Alkuperäinen viesti-----
Lähettäjä: SMiller () unimin com [mailto:SMiller () unimin com]
Lähetetty: Friday, September 05, 2003 2:06 PM
Vastaanottaja: Security-Basics
Aihe: AV removal malware


I'm working on a machine that has boot problems (20+ minutes for Win2K
"normal" boot, both safe modes freeze)  When the machine finally booted I
saw that our AV product (eTrust 6) was gone.  And I don't mean
non-functional, I mean vanished.  No entries in Add/Remove programs, no
folders or files remain under Program Files or anywhere else I've looked.
I didn't get a chance to examine the registry before I rebooted, will do so
Monday (when I will also examine bootlog.txt).  My question is whether
anyone here has run into an infection that attempts to remove antivirus
products that is this effective and polished.  The few of those that I have
seen close up have merely made crude and generally unsuccessful attempts to
mess with registry keys.  I suspect that the user or someone else with
access to the machine actually removed the eTrust product, after which the
machine may have become infected.  Event Viewer no longer works, which also
doesn't help forensics.  Thoughts?

Scott Miller



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
###########################################

This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.F-Secure.com/

---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------