Re: New Trojan

[Brian Eckman <eckman () umn edu>]

> AFAIK, there is *no* method of removal for this trojan, due to its way of
> infection.  Some have speculated that there is an option for removal within
> the trojan, but I have no confirmation of this -- try running strings on the
> DLL, and see if you can find anything in there (i.e. grep for 'remov',
> 'instal').

It can be "removed" by renaming all instances of rundll32.exe at once, 
so System File Protection won't replace it again. Then reboot and remove 
it from starting up in the registry and, if you're paranoid, overwrite 
the ADS stream with benign text. Then rename rundll32.exe back again.

It should be also removable by unregistering the DLL then deleting the 
registry entry, as was mentioned earlier in this thread. I haven't tried 
it though.

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------