they generally look for an exe name. i've fired up Optix Pro and
others, and it gives a customizable list of exe names to kill.
obviously it has a default list of several hundred. on unix though, you
generally have to modify the source code rather than a trivial renaming
of the file. it's an ancient trick and obviously malware authors are
not stagnating, they are PROACTIVE.
That someone else was me, and renaming regedit to jregedit wasn't the brightest
idea as whatever is messing with your system most probably looks for the string
"regedit" for doing its thing.
I also posted about the HackersDefender100 root-kit, in this thread, in article
<
[email protected]>. The reason for my post on HacDef
wasn't that you look for it, specifically, but to suggest that you are probably
dealing with something similar and offer *methods* how to revert what it did.
if it's hacker defender, that's a ring zero kit. you really need to
mount the media and scan from another OS instance, scan from PE, or
something of that nature.
tripwire or AIDE could have avoided this whole issue, because you would
have known from the hashes that you got owned. (i use free tripwire on
linux, and a custom script that hashes on windows). assuming the kit
doesn't intercept and serve up bogus files for hashing purposes.
What we need is a clue where to start from. Here is a procedure that may give
us that clue:
1. Make a copy of regedit.exe, in the Windows default directory, and name it
abcde.exe.
2. Run the following command line from the desktop, EXACTLY as written, quote
marks included (ignore the line wrap):
abcde /e c:\junk.txt
"hkey_local_machine\software\microsoft\windows\currentversion\run"
What that command does is to export the content of the machine run registry key
to a file named junk.txt. Find that file in the root of C: and paste it in your
next post, here.
What I expect to find there is how the Trojan your are dealing with initializes,
and provide the clue how to kill it.
Regards, Zvi
--
zvi, you give good advice, of course.
also the general forensics procedure, after making an image of drive for
legal purposes, is to use utilities on floppy or CDR. the best case is
keeping them on single write media (along with your tripwire hashes of
course). having clean utilities can sometimes defeat the simpler
rootkits, it just depends.
i've already mentioned the tools to detect and clean this in a prior post.
michael