PaulDotCom mailing list archives
Re: Incident Response
From: Craig Freyman <craigfreyman () gmail com>
Date: Thu, 1 Jul 2010 08:34:56 -0600
There's another bug on here. Looks like this virus sets up a backdoor from the compromised system to an IRC channel. http://anubis.iseclab.org/?action=result&task_id=19da61a862fdf5bb4c56f207beccef8ff&format=html <http://anubis.iseclab.org/?action=result&task_id=19da61a862fdf5bb4c56f207beccef8ff&format=html>This looks like the culprit. At least I know what I'm looking for now! http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Hamweq.E On Thu, Jul 1, 2010 at 7:58 AM, Craig Freyman <craigfreyman () gmail com>wrote:
Not a false positive. Someone used a nasty USB drive that had an autorun virus on it. The autorun.inf had this in it: l~-??A?<K??#?Ê??ed?ª?üXÜ??ÁüFl?æ?eëX?r?:M?à???Ñ?çs?Ç?Oü?EF??ëÓ??ÚÞÊN?d=?ú??[Y?????mÈm!Ã???çñvè?y?Êv_????É-/?Is?ù?,[ [autorun ;e???V open=trikfx/spomenar.exe ;Þm÷?Ç icon=%SystemRoot%\system32\SHELL32.dll,4 ;X]doÝ??a action=Open folder to view files using Windows Explorer ;?ëë$???µ] shell\\open\\\command=trikfx/spomenar.exe ;Là?ÿÜ??Üü`ásáµ????Dþ?é'?µ??rm?ò? shell\\explore\\command=trikfx/spomenar.exe ;??àg'æë? useautoplay=1 VirusTotal for this file: http://www.virustotal.com/analisis/e22b8e9b4fbdb876904373e647306a3f0a8d2c5bbb50e708a87464c83c962dba-1277992532 On Wed, Jun 30, 2010 at 4:06 PM, Mike Patterson <mike () snowcrash ca> wrote:On 10-06-30 12:05 PM, Craig Freyman wrote:When the AV flags a virus, what steps should you take to handle the situation? I would assume the following would be important to figure out:[...]- ??First and foremost: is this a false positive? Other than that, Josh Little's response is good. Mike _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: Incident Response Craig Freyman (Jul 01)
- Re: Incident Response Craig Freyman (Jul 01)
- Re: Incident Response Josh Little (Jul 01)
- Re: Incident Response Daniel Holiday (Jul 02)
- Re: Incident Response Mike Patterson (Jul 02)
- Re: Incident Response Craig Freyman (Jul 02)
- Re: Incident Response Daniel Holiday (Jul 02)