Full Disclosure mailing list archives
Re: win2kup2date.exe ?
From: James Tucker <jftucker () gmail com>
Date: Thu, 2 Sep 2004 22:54:17 +0100
<snippage> Hi all, A recommendation for anyone in this situation, try using a copy of BartPE (http://www.nu2.nu/pebuilder/) and McAffee to detect the files. I have watched one of these variants actively attack a copy of Norton Antivirus. Furthermore, the worm in question which I observed started to hide its executables on parts of the disk it flagged as "damaged" and windows begun to report this information. Ad-aware was also installed on the machine, and after the fight begun, Ad-aware was also corrupted on the disk. At this time there is no way to verify if this was truly caused by the infection, although as there was no genuine corruption found after we cleaned the disk I suspect that what I am suggesting is accurate. BartPE has the ability to run Ad-Aware and McAffee from a cleanly booted OS (booted from CD) and will mount all NTFS drives on the local system. Those of you lucky enough to have supported network cards can get network access too. This is what I use as a last line of recovery for systems with heavy infection loads. Be warned that some malware / viruses are placing themselves in portions of the OS that sometimes need replacing later. The common two are fixed by a "sfc /scannow" and the other is fixed by repairing the TCP/IP stack using the netsh command. Windows 2000 is more difficult and I can't remember the fixes off the top of my head. After this level of infection, where appropriate I would still recommend a format anyway. Good luck with your recoveries, J. P.S. If read at any time, thank you to Bart and Co, this is one of the most useful projects you have done, your bootdisks have been a long standing toolset in my collection. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- win2kup2date.exe ? bashis (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 02)
- Re: win2kup2date.exe ? James Tucker (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 03)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- <Possible follow-ups>
- RE: win2kup2date.exe ? James Patterson Wicks (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? James Tucker (Sep 02)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 02)
- Re: win2kup2date.exe ? James Tucker (Sep 03)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 03)
- Re: win2kup2date.exe ? Bart . Lansing (Sep 08)
- Re: win2kup2date.exe ? Bugtraq Security Systems (Sep 08)
- Re: win2kup2date.exe ? Barry Fitzgerald (Sep 08)
- Re: win2kup2date.exe ? Über GuidoZ (Sep 08)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 09)
- Re: win2kup2date.exe ? Richard Johnson (Sep 09)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 09)
- Message not available
- Re: win2kup2date.exe ? Richard Johnson (Sep 09)
- Re: win2kup2date.exe ? Nick FitzGerald (Sep 03)