RE: Looking for a tool

["Schmehl, Paul L" <pauls () utdallas edu>]

-----Original Message-----
From: Nick Jacobsen [mailto:nick () ethicsdesign com] 
Sent: Monday, March 01, 2004 5:31 PM
To: Schmehl, Paul L; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Looking for a tool


Well, I usually use *sysinternals* Process Exporer, and have yet to see
it fail to list a process...  how do you know the process exists, if you
can't list it?
 
Real simple.  I have randomly named processes (like gk5odre.exe) popping
up, and when I kill them, another one takes their place.  *Something*
has to be the parent than controls this.  I can delete an entire
registry key and watch it be recreated in less than a second.  I can
delete a directory with three dlls in it and watch it be recreated right
before my eyes.  I can kill the randomly named process and watch it
reappear using the same name or a completely different name.  I can
delete the executable after killing the process, and it will be
recreated in no time.  So *something* has to be controlling it, yet when
I look at the process tree, the randomly named process appears to be the
parent.
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/