Security Incidents mailing list archives
Re: Agobot variant - with multi-vulnerability scanner
From: Stephen Smoogen <smoogen () lanl gov>
Date: Mon, 5 Apr 2004 09:26:34 -0600 (MDT)
On Sat, 3 Apr 2004, Lawrence Baldwin wrote:
This is the second case of 'hallowelt.exe' that I have seen in two days where the end user's system system was fully patched (Windows update on auto)...I haven't read up on all the variants but this is rather puzzling as
I have heard of a couple of cases where this has happened. I think the most common reason was that the machine was never rebooted after the fixes were installed. The second common reason was that a backdoor was installed already and somehow conflicted with the patch when it got installed. The third reason was that the registry and other entries would say that the update had been installed, but doing an sha1sum of the .dlls showed that they had not changed. [Found this on a non-infected machine so it seems to happen sometimes..] I do not know enough about Windows to speculate why, but hopefully they someday put in a checksum registry so that people can check integrity of .dlls and what package they belong to. -- Stephen John Smoogen smoogen () lanl gov Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- You should consider any operational computer to be a security problem -- --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Agobot variant - with multi-vulnerability scanner Lawrence Baldwin (Apr 05)
- Re: Agobot variant - with multi-vulnerability scanner Stephen Smoogen (Apr 05)
- RE: Agobot variant - with multi-vulnerability scanner James C Slora Jr (Apr 05)