Trojan modifying ntdll.dll and cmd.exe

["Eric Greenberg" <eric () netframeworks com>]

We have encountered a trojan that has modified both cmd.exe and
ntdll.dll on a Windows 2000 machine.  The files failed our CRC check
(TDS was used for this, these out of 29 CRC-checked files were flagged
as modified and Windows also flagged it). It was installed on a well
protected machine (behind a firewall, zone alarm, Norton anti-virus,
locked-down) and believe the application installing it was either a
vendor-installed  patch this morning (we have notified the vendor and
are getting their feedback and verifying) or through a web-based IE
exploit on a fully patched IE installation. No email attachments were
opened on this machine, etc, that would have caused the infection Has
anyone on this list encountered a trojan specifically targetting BOTH of
these files? Clearly many target cmd.exe and both (cmd.exe and
ntdll.dll) are great candidates for modification by a hacker. Cmd.exe
has of course been swapped-out since the beginning of time. We'd like to
learn more about the signature of this particular one.


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------