Security Incidents mailing list archives

RE: Possible new trojan?

From: Ryan Hill <rhill () xypoint com>
Date: Fri, 14 Sep 2001 16:50:31 -0700

4.  Did you check the contents of the Run,
RunServices, RunOnce Registry keys (if the target
system is a MS platform)?


No - but I'd like a tool that can decipher the 'ntuser.dat' 
file, so we 
don't have to log on as the specific user that caused the problems. 
Does anyone known of a way of 'reading'/enumerating a users own 
registryfile (HKCU)? There is supposedly a driver for Linux, to mount 
the registryfile - and browse everything like a directory. But that 
seems to be like crossing the river for water...


Assuming the user has previously logged on the machine, the entire user
registry profile will be stored under HKLU, and listed by the user's SID.

Regards,

Ryan Hill, MCSE 
Network & Systems Engineer
Corporate Information Systems
Telecommunication Systems, Inc. (TCS) - http://www.telecomsys.com
v: 206.792.2276 - f: 206.792.2001
pgp: 0x17CE70AB



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Possible new trojan? Mike Blomgren (Sep 13)
- Re: Possible new trojan? H C (Sep 13)
- <Possible follow-ups>
- Re: Possible new trojan? Mike Blomgren (Sep 13)
  - Re: Possible new trojan? Daniel Martin (Sep 17)
- RE: Possible new trojan? Ryan Hill (Sep 14)