Full Disclosure mailing list archives
Re: New virus - possible rootkit
From: "Bipin Gautam" <gautam.bipin () gmail com>
Date: Thu, 21 Sep 2006 20:43:04 +0545
This appears to be an IRC bot that encrypts its traffic to fly beneath the radar. What makes it more interesting is that the directories it creates have SYSTEM ownership and only system and creator/owner can access the files. Changing permissions on the files or directorys will only be changed back. It also appears that if you remove the file, it will start revoking permissions on all files and will remove everyones but SYSTEM's permission to all files.
i've been talking abt this for abt a year now... Sometimes BEFORE there was a worm who exploited the features of EFS in NTFS, winxp now.... this threat. http://72.14.203.104/search?hl=zh-TW&q=cache%3Ahttp%3A%2F%2Fbipin.securityhead.com%2Fall.html -- Bipin Gautam http://bipin.tk Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New virus - possible rootkit Joel R. Helgeson (Sep 20)
- Re: New virus - possible rootkit Bipin Gautam (Sep 21)
- Re: New virus - possible rootkit Joel R. Helgeson (Sep 22)