Security Incidents mailing list archives
Re: Odd typing in MSWord
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Sat, 05 Mar 2005 11:12:28 -0800
http://windowsir.blogspot.com/2005/03/rootkit-saga-continues.html Are root kits 'that' new or are the bad guys just getting a smidge smarter? This is an example of a rootkit that wasn't coded properly: You receive a Stop 0x00000050 error on a blue screen: http://support.microsoft.com/default.aspx?scid=kb;en-us;894278The folks in my group say that if you have an on the ball admin, he/she will notice something is up via the normal review procedures of the log files/ingress/egress/packet flows and what not.
Remember there's a bunch more tools in the arsenal that many of us have yet to roll out .... IPsec..... Software restiction....
IPFront - About: http://www.hernanracciatti.com.ar/ipfront/about.htm http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx Federated Information Security wrote:
Thanks to all who replied, I'm pretty sure it was the microphone, I'm in the process of verifying. As a side note, I've seen the press on MS root kits, but are they all that common? How often do you run across them in a corporate environment, and how good are standard protections (antivirus, firewall, non-admin) at preventing them? Thanks again! sid -----Original Message-----From: Federated Information Security Sent: Friday, March 04, 2005 9:50 AMTo: incidents () securityfocus com Subject: Odd typing in MSWord I ran across something rather odd today I'm hoping someone might have thoughts on. One of my users had their XP SP1 laptop on the corporate network and was editing a Word document with office 2002. They pasted something in a table, and it looked like someone started typing in their document. It was slow, typical typing speed, and lasted for about 10 minutes (I actually got a chance to see it). The text was nonsense words, like the kind you often see in spam nowadays. The machine's fully patched, up-to-date anti-virus and a personal firewall. Don't see any signs of spyware, nothing in the registry. I checked all the files modified today hoping to find a keylogger or something similar, and the only thing I found was a seemingly encrypted file on the root of c:\ called "comply.ini", which isn't normal for our config, but may not be related. IE was open at the time this happened. I issued a netstat -a command while the typing was going on, but all the connections were legit--domain controller, file & print servers. I checked the running processes and everything seemed pretty typical,although I hitAnyone run across anything similar lately, or have any suggestions? Thanks! sid
--Chapter 4 of The Complete Patch Management Book: https://www.ecora.com/ecora/jump/pm149.asp
So why is it the only book on NT Event Logging is out of print? http://tinyurl.com/3kwc2 And if you don't know about www.eventid.net You should!
Current thread:
- Odd typing in MSWord Federated Information Security (Mar 04)
- Re: Odd typing in MSWord Jeff Garrett (Mar 04)
- RE: Odd typing in MSWord Tom Baker (Mar 04)
- Re: Odd typing in MSWord Randy (Mar 04)
- Re: Odd typing in MSWord Jay D. Dyson (Mar 04)
- Re: Odd typing in MSWord Deborah McMahon (Mar 04)
- <Possible follow-ups>
- RE: Odd typing in MSWord Felix . Simmons (Mar 04)
- RE: Odd typing in MSWord Rubin, Benjamin (Mar 04)
- RE: Odd typing in MSWord Federated Information Security (Mar 04)
- Re: Odd typing in MSWord Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 07)