Re: Possible Trojan.

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <20031027194238.14184.qmail () sf-www1-symnsj securityfocus com>

Comments/questions inline:

> Have a buddy complaining about his AOL account password being stolen every time he logs onto AOL from his PC at work. 

Did he happen to mention what it is that makes him think this?  I ask, simply b/c I do some helpdesk work during my 
day-to-day activities and very often get really intelligent users who make certain assumptions that, well, are a little 
off base.

> I talked him through doing an fport on his box and he sent me the results:

Given the number of times svchost.exe appears, is this an XP box?  I know that by default, the installation path for XP 
is "Windows", not "Winnt", but I have seen this modified during install by admins.  

> I'm really concerned with the last one: 
>
> 228   winlogon       ->  1053  UDP   \??\C:\WINNT\system32\winlogon.exe

That path is legit, for both XP and 2K.  You might want to check out the file itself, w/ a 'dir'...on 2K, my file is 
about 178K in size, whereas on XP it's 430K.  I'm guessing that when I get to work and take a look at my system, I 
might see a similar entry...none of my test boxes are in a domain.

> I've found some things on the net that say it's legit, I've found others that say it's indicative of a backdoor.  

Do you have links to those sites?  Remember, just b/c it's on the Internet doesn't mean it's true...  ;-)

> I ran fport on my box and did not have any entries like that.  Does anyone have any information on this?  Are there 
> other entries that attract anyone else's attention?

I don't see anything that really jumps out.  I would suggest that you have your buddy get listdlls.exe from 
SysInternals.com and run it, then send you the output.  What you'll want to look at is the command line used to launch 
each process.  You can also use tlist.exe from MS...but be sure to get the one that comes in the debugging tools, not 
the RK.  

Other thoughts...dump the contents of the ubiquitous "Run" keys.  Also, you might consider getting a listing of the 
services and device drivers...I have a Perl script for this, but I don't think that this will be of use to you.

Finally, go ask your buddy what makes him think that his AOL password is being stolen when he logs on...

HTH,

Harlan

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------