Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

NC_S_ISLCK?

From: "Shirley, Ed" <thewthrman () yahoo com>
Date: Wed, 1 Jan 2003 08:30:30 -0800 (PST)
I was hoping that this would be approved for the list
as I get many emails from people who searched google
and only hit on the question.  Below is the answer
that I was sending out to people who asked me
personally.

Over the past 14 months, I received quite a few
responses to my post on the security focus incidents
list regarding the addition of the NC_S_ISLCK group to
my NT laptop.  The vast majority of these posts were
from people like me, who have it and have no idea
where it came from.  I did get a few replies that
offered clues to its origin and I wanted to share them
with you who, like me were/are clueless.

The NC_S_SLCK group on my box had no members.  Some
report that it is recreated if renamed or deleted.

This was not limited to NT.  One of you has XP and
several have Win2k.  I have finally updated my toolkit
and am running Win2k with no appearance of the group
thus far.  I looked at all the machines in our lab and
none of them have the group except for 2 machines that
have silent runner installed on them.  This was the
full blown version and not just the collector (none of
the collector-only machines had this group).  I also
had installed a rapidly-expiring eval of SR on my NT
laptop.  It's my bet that is where I got the group
from, but you never know.  Silent Runner installs a
couple services that took me a while to track down as
well as Hummingbird Networking.

Now, some stated that the group can come from other
places, possibly.  You can check your affected boxes
to see if anything correlates.

Rational Development Suite
Crystal Reports v. 8 professional
Sygate Personal Firewall
Transtext
Netscape Avatar
Ratheon Silent Runner

Sorry it took me a year to get back to you.  I
was waiting for a black helicopter story that never
came.

So, now, when people do a google search for NC_S_ISLCK
, they'll get a hit on this instead of my post with no
replies from last October.

Ed Shirley

--- kevin.mcphail () adisseo com wrote:

I saw your post to incidents.org on finding this
group on your system. Did
you ever find out what it was. It is on my system as
well and I want to know
how it got there.





__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: