Security Basics mailing list archives
Re: Trojan.Lodear.B/Trojan.Lodav.A
From: Brad Spangler <brad_spangler () yahoo com>
Date: Tue, 15 Nov 2005 23:26:02 -0600
Since UnHookExec.inf is supposed to reset everything in the registry to default settings and you're *still* not able to access the registry, it's apparent that the full extent of the compromise hasn't been discovered yet. Since the full extent of the compromise hasn't been discovered, one can't be confident that any set of steps to address the compromise will be adequate -- save for a full rebuild. Why? You're dealing with unknown issues. If you can't find a way to make those unknowns into knowns, then the only reasonable course of action is to make sure no malware could possibly survive. As a matter of fact, I'd even be a little *more* paranoid than normal, since you literally don't know the full extent of what you're dealing with (beyond the known trojan itself). Here's what I'd do: 1) Shut the Windows machine down 2) Boot the workstation off any Linux LiveCD that can read NTFS (Knoppix should do the trick) 3) Use that to rescue the user files off the system. 4) Wipe the whole hard drive on the compromised workstation -- every single cluster. 5) Scan the user files with an up to date AV tool on a non-Windows machine before allowing them to be used in setting up a new or rebuilt Windows workstation for the user. "Nuke it from orbit! It's the only way to be sure!" -- Aliens Joe George wrote:
Hi all, I have a workstation that was compromised by the Trojan mentioned in the subject, after the end user opened an infected .ZIP file. I followed the instructions Symantec recommended. I used their removal tool because I was not able to access the registry. I also installed the UnHookExec.inf in an attempt to reset the shell/open/command reg keys, per the article. I was still not able to access the registry. I ran the removal tool several times in normal and in safe mode and each time it would detect and terminate the Trojan process running in explorer.exe. Before one removal tool run, I ran Winternals Process Explorer, but nothing was found. I ran two anti-virus scans but did not find anything after the initial detection. Is there anything that I have not tried that someone can suggest? I'm about ready to run a repair on Windows, but not ready to rebuild, as I am concerned there maybe more workstations that have been just as compromised. Thanks in advance. -- Joe George IT Janitor x349
Current thread:
- Trojan.Lodear.B/Trojan.Lodav.A Joe George (Nov 15)
- RE: Trojan.Lodear.B/Trojan.Lodav.A dave kleiman (Nov 16)
- Re: Trojan.Lodear.B/Trojan.Lodav.A Brad Spangler (Nov 16)
- <Possible follow-ups>
- Re: Trojan.Lodear.B/Trojan.Lodav.A mjcarter (Nov 16)