Security Basics mailing list archives

Re: AV removal malware

From: Jimi Thompson <jimit () myrealbox com>
Date: Tue, 9 Sep 2003 20:43:34 -0500

I know it's obvious, but I have to ask. Just for grins, have youtried reinstalling the AV software? I've seen end users uninstall itdeliberately because "it slows my system down". Will they confess toit? NEVER! Then they want to complain because they get a virus*SIGH* Another thing to try might be virus scanning from one of thevendors that offers a bootable virus product (F-prot, etc.) and seeif the machine can be cleaned up that way.

I work for a university and we've seen a couple of things comethrough recently that tamper with anti-virus software. One even putsitself in the "exclusion" list, so that it isn't scanned.


HTH,

Jimi



download an app like "Penguin Sleuth Bootable CD" so you can view the
mounted drive without fear of infecting anything further and recover any
data the user needs.    http://www.linux-forensics.com/
(scan with AV after data is recovered)

then I would re-roll the machine with a new image and return it to the
user.  It would take less time, unless it's mandatory you provide a
reason why the machine is hosed.



On Fri, 2003-09-05 at 17:06, SMiller () unimin com wrote:

 I'm working on a machine that has boot problems (20+ minutes for Win2K
 "normal" boot, both safe modes freeze)  When the machine finally booted I
 saw that our AV product (eTrust 6) was gone.  And I don't mean
 non-functional, I mean vanished.  No entries in Add/Remove programs, no
 folders or files remain under Program Files or anywhere else I've looked.
 I didn't get a chance to examine the registry before I rebooted, will do so
 Monday (when I will also examine bootlog.txt).  My question is whether
 anyone here has run into an infection that attempts to remove antivirus
 products that is this effective and polished.  The few of those that I have
 seen close up have merely made crude and generally unsuccessful attempts to
 mess with registry keys.  I suspect that the user or someone else with
 access to the machine actually removed the eTrust product, after which the
 machine may have become infected.  Event Viewer no longer works, which also
 doesn't help forensics.  Thoughts?

 Scott Miller



 ---------------------------------------------------------------------------
 Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
 October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
 technical IT security event.  Modeled after the famous Black Hat event in
 Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.

Symantec is the Diamond sponsor. Early-bird registration endsSeptember 6.Visit us: www.blackhat.com

 ----------------------------------------------------------------------------



---------------------------------------------------------------------------
Captus Networks
Are you prepared for the next Sobig & Blaster?
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Precisely Define and Implement Network Security
 - Automatically Control P2P, IM and Spam Traffic
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------

---------------------------------------------------------------------------

Captus NetworksAre you prepared for the next Sobig & Blaster?- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans- Precisely Define and Implement Network Security- Automatically Control P2P, IM and Spam TrafficFIND OUT NOW - FREE Vulnerability Assessment Toolkithttp://www.captusnetworks.com/ads/42.htm

----------------------------------------------------------------------------

Current thread:

AV removal malware SMiller (Sep 05)
- Re: AV removal malware Dave (Sep 08)
- <Possible follow-ups>
- Re: AV removal malware Jimi Thompson (Sep 10)