Re: They got me!!!

[Valdis.Kletnieks () vt edu]

On Thu, 06 Apr 2006 08:17:30 MDT, lucretias said:
> I would disagree with all of Susan's assumptions.   Why should you rebuild
> if your simply infected?

Tell me - are you willing to bet being totally 0wned again if you guess
wrong on "simply infected"?

> How someone could also determine you have a rootkit installed with no
> analysis and the shakey details you posted I'm not certain either.

Again, even the shaky details we have, indicate a situation with a high
likelyhood of a rootkit being present.  Proceeding as if one is present
is much safer than assuming that there isn't one.

> Assuming it was bad surfing is also a bad assumption.  It's highly likely
> that the infection was either from email or a downloaded and installed piece
> of software.

My money goes on a drive-by fruiting that used one of the currently known
unpatched IE vulnerabilities.  Anybody who goes to the length of installing
fingerprint scanners will most likely have drilled into the kids: "No
clicky-click the 'oooh shiny'!! Or *else*".

> A simple clean up would do the trick.
>
> Then clean the infections.  I have yet to meet an infection I couldn't
> clean.

You willing to bet the machine's security on "the A/V id'ed it as W32-foobar,
and Symantec says it alters 5 registry keys, so it can't possibly be a variant
that alters 6"?  Or maybe it's not W32-foobar *at all* - but some unknown
malware that includes deactivated chunks of W32-foobar just to delude you
into thinking that since you removed all the pieces of W32-foobar, that the
machine is in fact clean?

You might want to consider whether "I have yet to meet an infection that I
didn't convince myself was fully cleaned" is being more truthful.  Did you
dig out and sanitize 100% of every infection? or just 100% of what you found?

Attachment: _bin
Description: