Security Incidents mailing list archives

Re: Odd typing in MSWord

From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>
Date: Sat, 05 Mar 2005 11:12:28 -0800

http://windowsir.blogspot.com/2005/03/rootkit-saga-continues.html

Are root kits 'that' new or are the bad guys just getting a smidge smarter?

This is an example of a rootkit that wasn't coded properly:
You receive a Stop 0x00000050 error on a blue screen:
http://support.microsoft.com/default.aspx?scid=kb;en-us;894278

The folks in my group say that if you have an on the ball admin, he/shewill notice something is up via the normal review procedures of the logfiles/ingress/egress/packet flows and what not.

Remember there's a bunch more tools in the arsenal that many of us haveyet to roll out .... IPsec..... Software restiction....

IPFront - About:
http://www.hernanracciatti.com.ar/ipfront/about.htm
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

Federated Information Security wrote:

Thanks to all who replied, I'm pretty sure it was the microphone, I'm in
the process of verifying.  As a side note, I've seen the press on MS
root kits, but are they all that common?  How often do you run across
them in a corporate environment, and how good are standard protections
(antivirus, firewall, non-admin) at preventing them?

Thanks again!
sid


-----Original Message-----

From: Federated Information SecuritySent: Friday, March 04, 2005 9:50 AM

To: incidents () securityfocus com
Subject: Odd typing in MSWord

I ran across something rather odd today I'm hoping someone might have
thoughts on.  One of my users had their XP SP1 laptop on the corporate
network and was editing a Word document with office 2002.  They pasted
something in a table, and it looked like someone started typing in their
document.  It was slow, typical typing speed, and lasted for about 10
minutes (I actually got a chance to see it).  The text was nonsense
words, like the kind you often see in spam nowadays.

The machine's fully patched, up-to-date anti-virus and a personal
firewall.  Don't see any signs of spyware, nothing in the registry.  I
checked all the files modified today hoping to find a keylogger or
something similar, and the only thing I found was a seemingly encrypted
file on the root of c:\ called "comply.ini", which isn't normal for our
config, but may not be related.  IE was open at the time this happened.
I issued a netstat -a command while the typing was going on, but all the
connections were legit--domain controller, file & print servers.  I
checked the running processes and everything seemed pretty typical,

although I hit

Anyone run across anything similar lately, or have any suggestions?

Thanks!
sid

--

Chapter 4 of The Complete Patch Management Book:https://www.ecora.com/ecora/jump/pm149.asp


So why is it the only book on NT Event Logging is out of print?
http://tinyurl.com/3kwc2

And if you don't know about www.eventid.net You should!

Current thread:

Odd typing in MSWord Federated Information Security (Mar 04)
- Re: Odd typing in MSWord Jeff Garrett (Mar 04)
- RE: Odd typing in MSWord Tom Baker (Mar 04)
- Re: Odd typing in MSWord Randy (Mar 04)
- Re: Odd typing in MSWord Jay D. Dyson (Mar 04)
- Re: Odd typing in MSWord Deborah McMahon (Mar 04)
- <Possible follow-ups>
- RE: Odd typing in MSWord Felix . Simmons (Mar 04)
- RE: Odd typing in MSWord Rubin, Benjamin (Mar 04)
- RE: Odd typing in MSWord Federated Information Security (Mar 04)
  - Re: Odd typing in MSWord Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 07)