Security Incidents mailing list archives
RE: Strange servicepack.exe file (not service.exe) found.
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 17 Dec 2003 16:20:03 -0800 (PST)
James,
To be fair to the original poster, in hindsight there was reasonable association from other posts between the suspect file and some complex adware that downloads arbitrary additional components and takes aggressive actions like installing porno dialers similar to what was found.
You're mixing terminology. In my experience, and I do have quite a bit of experience w/ adware and spyware, these things are annoying, yes, but hardly aggressive. And complex is being...well...generous. I saw the response from Symantec on the item. I also downloaded the file, and scanned it with the most recent defs for NAV...and got nothing.
Rebuilding might take less than an hour, while investigation and cleanup might take a little more.
The short term fix may be preferable...but investing a little bit of time in determining the initial "infection" vector might save a good deal of time in "cleaning up" other systems.
Recovery takes less skill and often less time than forensics. That makes it a positive thing provided one investigated enough to know that recovery eliminates any damage that might have occurred.
Hhhmmm...again, perhaps in the short term - but not in the long run.
The downside as you say is one will never know. The "infection" vector might not be determined until it happens again. And it would sure be nice to know if the afflicted (if not infected) machine was trying to do anything to the rest of the network or if it was communicating outside the LAN.
And to be quite honest, it doesn't really take a great deal of time or skill to do these things. It simply takes a bit of time invested in learning to do it.
It is important to know what the machine did while it was in a suspect state, if possible. The rebuild doesn't help enough if, for example, network passwords were compromised.
Very true.
Plus it would really be silly if machine gets rebuilt when a reboot might have sufficed.
Yep. However, I believe that the argument amongst Windows admins will continue to favor rebuilding will continue for the time being...however unfortunate that may be. Harlan Harlan --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Strange servicepack.exe file (not service.exe) found. Chip Mefford (Dec 16)
- RE: Strange servicepack.exe file (not service.exe) found. Bojan Zdrnja (Dec 17)
- SV: Strange servicepack.exe file (not service.exe) found. Peter Kruse (Dec 17)
- Re: Strange servicepack.exe file (not service.exe) found. Eric Chien (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Rob Shein (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. David Gillett (Dec 18)
- Re: Strange servicepack.exe file (not service.exe) found. Doug Foster (Dec 19)
- Re: Strange servicepack.exe file (not service.exe) found. dreamwvr () dreamwvr com (Dec 19)
- Administrivia: Dead Thread - Strange servicepack.exe file (not service.exe) found. Dan Hanson (Dec 19)
- RE: Strange servicepack.exe file (not service.exe) found. Lucretia (Dec 19)
- <Possible follow-ups>
- RE: Strange servicepack.exe file (not service.exe) found. Kolde, Jennifer E. (Dec 18)