[Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1991 - 41 msgs

["Wayne Dawson" <Wayne_Dawson () inventuresolutions com>]

First, you didn't say, so I'm wondering if you checked the simple
things?  I mean for why you couldn't see it or delete it?   Like, does
it have read and hidden attributes?  

OK, admittedly, even if the read attribute was taken off, being still in
use, you might not be able to delete it. However, you may be able to
rename it logon.txt and then reboot. 

Anyway, I don't know of a free utility, but you could always take the
drive out and put it in another NTFS machine and access it that way.  It
wouldn't be running so it should be safe.

Of course, I'm assuming that you've already done the usual checking of
HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

for any reference to any file you deleted.

Also, for each user there is a registry area named HKEY_USERS\[code
number indicating user]\. Check the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Additionally, in case you didn't, make sure system restore has been
disabled before doing your rescue operations.

        --__--__--

        Message: 3
        Date: Wed, 20 Oct 2004 17:37:26 +0100
        From: "Richard Stevens" <richard () tccnet co uk>
        To: <full-disclosure () netsys com>
        Subject: [Full-disclosure] interesting trojan found


        A client had a problem home PC, after removal of all the usual
spyware, adware and 6 month old viruses,

        there remained an unusual process in the process list,
logon.exe, which 

        Process Explorer pointed to it being from
c:\windows\system32\logon.exe

        it tries to connect to a singnet ip address on port 3175.

        This file appeared almost invisible to the file system in both
safe & normal mode, which struck me as being unusual.

        You could not delete it, copy it or see it in a directory
listing (file not found),  but you could execute it directly.

        I eventually got a copy of it by using an NTFS-reader boot disk,
and ran it through virus total.

        Kaspersky was the only one to recognize it as Message: 3
        Date: Wed, 20 Oct 2004 17:37:26 +0100
        From: "Richard Stevens" <richard () tccnet co uk>
        To: <full-disclosure () netsys com>
        Subject: [Full-disclosure] interesting trojan found


        A client had a problem home PC, after removal of all the usual
spyware, adware and 6 month old viruses,

        there remained an unusual process in the process list,
logon.exe, which 

        Process Explorer pointed to it being from
c:\windows\system32\logon.exe

        it tries to connect to a singnet ip address on port 3175.

        This file appeared almost invisible to the file system in both
safe & normal mode, which struck me as being unusual.

        You could not delete it, copy it or see it in a directory
listing (file not found),  but you could execute it directly.

        I eventually got a copy of it by using an NTFS-reader boot disk,
and ran it through virus total.

        Kaspersky was the only one to recognize it as
backdoor.win32.rbot.gen

        Just wondering really

        a: if anyone wants it for study. (off list replies pls, will be
sent in passworded zip)
        b: anyone know a free boot disk that both reads & writes to
NTFS, so I can delete it!


        Regards

        Richard


        Just wondering really

        a: if anyone wants it for study. (off list replies pls, will be
sent in passworded zip)
        b: anyone know a free boot disk that both reads & writes to
NTFS, so I can delete it!


        Regards

        Richard

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html