Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New virus - possible rootkit

From: "Bipin Gautam" <gautam.bipin () gmail com>
Date: Thu, 21 Sep 2006 20:43:04 +0545
This appears to be an IRC bot that encrypts its traffic to fly beneath the
radar. What makes it more interesting is that the directories it creates
have SYSTEM ownership and only system and creator/owner can access the
files.  Changing permissions on the files or directorys will only be changed
back.  It also appears that if you remove the file, it will start revoking
permissions on all files and will remove everyones but SYSTEM's permission
to all files.



i've been talking abt this for abt a year now... Sometimes BEFORE
there was a worm who exploited the features of EFS in NTFS, winxp
now.... this threat.

http://72.14.203.104/search?hl=zh-TW&q=cache%3Ahttp%3A%2F%2Fbipin.securityhead.com%2Fall.html


-- 

Bipin Gautam
http://bipin.tk

Zeroth law of security: The possibility of poking a system from lower
privilege is zero unless & until there is possibility of direct,
indirect or consequential communication between the two...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: