Full Disclosure mailing list archives

Re: [SPAM] RE: interesting trojan found

From: James Riden <j.riden () massey ac nz>
Date: Fri, 22 Oct 2004 08:47:53 +1300

"Todd Towles" <toddtowles () brookshires com> writes:

But if it is a rootkit, does it not hide from normal AV scanning?


The Rxbot/Spybot variant that I've seen recently had a couple of
startup hooks in the registry - "blah service" and value was
"xaxe.exe" or "bling.exe". It made no real effort to hide, and could
be removed by deleting startup keys, rebooting and then deleting the
file in system32 - no serious attempt at hiding.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: [SPAM] RE: interesting trojan found Todd Towles (Oct 21)
- SV: [SPAM] RE: interesting trojan found Peter Kruse (Oct 21)
- Re: [SPAM] RE: interesting trojan found James Riden (Oct 21)
- <Possible follow-ups>
- RE: [SPAM] RE: interesting trojan found Todd Towles (Oct 21)