Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rcon trojan

From: H C <keydet89 () yahoo com>
Date: Tue, 5 Mar 2002 05:38:07 -0800 (PST)
Deleting the Registry entry for a trojan only
partially solves the problem.  The Registry entry is
usually used for persistence, so that the trojan will
start up again upon reboot.  If only the Registry
entry is deleted, the trojan itself may still be
running in memory.  

What needs to be done is that the admin needs to
determine how the trojan got there in the first place,
and then remove it completely.  If the os and apps
need to be reloaded from clean media, then the admin
definitely needs to know how the trojan got there in
the first place...otherwise, he's reinstalling the
same holes and vulnerabilities all over again.

--- Tom Gerritsen <jabba () home nl> wrote:

Op maandag 4 maart 2002 18:08, heeft  Owen Creger
ons proberen te vertellen:

rcon


try to google 
http://www.google.nl/search?q=rcon+trojan&hl=nl&lr=


I got this hit that you can use.



http://www.glocksoft.com/trojan_list/Rcon_Recon_Xcon.htm


Looks like some registry hacking.
Just go into regedit and press ctrl+f   enter
runonce to search for. If he 
finds it, above it you'll find the run key. 
(searching for the word run 
takes to long, because the registry is full of it...
) Do this something like 
3 times, because the run key is used more then
once.. 



-- 
GreetZz
                      Tom Gerritsen
                      jabba () home nl




----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com




__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: