Re: Agobot variant - with multi-vulnerability scanner

[Stephen Smoogen <smoogen () lanl gov>]

On Sat, 3 Apr 2004, Lawrence Baldwin wrote:

> This is the second case of 'hallowelt.exe' that I have seen in two days
> where the end user's system system was fully patched (Windows update on
> auto)...I haven't read up on all the variants but this is rather puzzling as

I have heard of a couple of cases where this has happened. 

I think the most common reason was that the machine was never rebooted
after the fixes were installed. The second common reason was that a
backdoor was installed already and somehow conflicted with the patch
when it got installed. The third reason was that the registry and other
entries would say that the update had been installed, but doing an
sha1sum of the .dlls showed that they had not changed. [Found this on a
non-infected machine so it seems to happen sometimes..]

I do not know enough about Windows to speculate why, but hopefully they 
someday put in a checksum registry so that people can check integrity of 
.dlls and what package they belong to.


-- 
Stephen John Smoogen            smoogen () lanl gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- You should consider any operational computer to be a security problem --

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------