Re: Probable Trojan.

[Brian Eckman <eckman () umn edu>]

Gene wrote:
> Have a buddy complaining about his AOL account password being stolen every time he logs onto AOL from his PC at work.  
> I talked him through doing an fport on his box and he sent me the results:

<snip>

I wouldn't worry about services listening on the machine as much as what 
is running at startup. A keylogger or other password stealer has no need 
to listen on a port. It would more likely phone home as needed.

Based on your FPort results, I assume it's Windows 2000, which doesn't 
ship with MSCONFIG.EXE. I'd personally grab a copy of MSCONFIG.EXE from 
a Windows XP box and run it on the machine to get a quick glance at most 
places that malware run from to load when Windows starts up. 
(Disclaimer: I have a site license for Windows upgrades and therefore 
what I propose above should be legal in my workplace. Your mileage may 
vary.)

I know, I know, MSCONFIG doesn't show every piece of code that launches 
at startup, and you can manually go to each location it checks to see 
what is running. It's just a really quick way to check the usual suspects...

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
612-626-7737

"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------