RE: New Trojan

["Rob Shein" <shoten () starpower net>]

An option; restrict rights for
HKLM/Software/Microsoft/Windows/CurrentVersion/Run so that new keys cannot
be created, by anyone.  Remove the key used by the trojan.  Reboot, and
return permissions for that part of the registry to prior settings.

A thought: considering that this is a proxy trojan, could it have any
relationship to the alleged instances of a Polish company offering stealthed
spamming services (and god knows what other forms of anonymization)?


> On startup, the Trojan is started via registry entries.  
> Since it is a DLL, it needs rundll32.exe to start.  When it 
> starts, it hooks itself into (I
> think) *every* running process on the system, so you can't 
> actually kill it without shutting down the system.
>
> It checks the registry keys periodically (configurable, I 
> believe), and if they are missing, it adds them back in again.


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------