Security Basics mailing list archives

Re: Trojan.Lodear.B/Trojan.Lodav.A

From: Brad Spangler <brad_spangler () yahoo com>
Date: Tue, 15 Nov 2005 23:26:02 -0600

Since UnHookExec.inf is supposed to reset everything in the registry to
default settings and you're *still* not able to access the registry,
it's apparent that the full extent of the compromise hasn't been
discovered yet.

Since the full extent of the compromise hasn't been discovered, one
can't be confident that any set of steps to address the compromise will
be adequate -- save for a full rebuild.

Why? You're dealing with unknown issues. If you can't find a way to make
those unknowns into knowns, then the only reasonable course of action is
to make sure no malware could possibly survive.

As a matter of fact, I'd even be a little *more* paranoid than normal,
since you literally don't know the full extent of what you're dealing
with (beyond the known trojan itself).

Here's what I'd do:

1) Shut the Windows machine down

2) Boot the workstation off any Linux LiveCD that can read NTFS (Knoppix
should do the trick)

3) Use that to rescue the user files off the system.

4) Wipe the whole hard drive on the compromised workstation -- every
single cluster.

5) Scan the user files with an up to date AV tool on a non-Windows
machine before allowing them to be used in setting up a new or rebuilt
Windows workstation for the user.


"Nuke it from orbit! It's the only way to be sure!" -- Aliens


Joe George wrote:

Hi all,

I have a workstation that was compromised by the Trojan mentioned in the
subject, after the end user opened an infected .ZIP file. I followed the
instructions Symantec recommended.  I used their removal tool because I
was not able to access the registry.  I also installed the
UnHookExec.inf in an attempt to reset the shell/open/command reg keys,
per the article.  I was still not able to access the registry.  I ran
the removal tool several times in normal and in safe mode and each time
it would detect and terminate the Trojan process running in
explorer.exe.  Before one removal tool run, I ran Winternals Process
Explorer, but nothing was found.  I ran two anti-virus scans but did not
find anything after the initial detection.  Is there anything that I
have not tried that someone can suggest? I'm about ready to run a repair
on Windows, but not ready to rebuild, as I am concerned there maybe more
workstations that have been just as compromised.  

Thanks in advance.

--
Joe George
IT Janitor
x349

Current thread:

Trojan.Lodear.B/Trojan.Lodav.A Joe George (Nov 15)
- RE: Trojan.Lodear.B/Trojan.Lodav.A dave kleiman (Nov 16)
- Re: Trojan.Lodear.B/Trojan.Lodav.A Brad Spangler (Nov 16)
- <Possible follow-ups>
- Re: Trojan.Lodear.B/Trojan.Lodav.A mjcarter (Nov 16)