On 11 Nov 2005 at 6:13, Brad Beyenhof wrote: > On 11/11/05, Phil Daley <[EMAIL PROTECTED]> wrote: > > At 11/10/2005 08:43 PM, David W. Fenton wrote: > > > >> One of the things it does is hook into low-level file I/O > >> subroutines to hide its own files and its own activities. This is > >> accomplished by hiding every file/directory that begins with $sys$ > >> (or a similar such pattern -- I could be misremembering the exact > >> prefix). > > > > That's exactly the correct prefix. > > In fact, I know of a guy who put a file called "$sys$_canary" on his > desktop, so that he'll know if he ever gets this rootkit because the > file will disappear (like the canaries used by miners). While > humorous, I think it's kind of silly... just don't ever click "OK" to > Sony's EULA, or hold Shift when inserting one of their CDs so that > AutoRun won't kick in. As previously mentioned, you can disable > AutoRun altogether, but that seems a bit extreme to me.
And if you're not running an administrative logon, it won't make any difference if you *do* have Autoplay on and click YES to the EULA -- it won't be able to install. Perhaps it's smart enough to use the RunAs service to ask you for an administrative logon/password (somewhat like SU on UNIXen), but if you don't supply it, it won't be able to install, since it can only work by modifying Windows system files and registry settings that on Win2K and WinXP are read-only for user-level logons. -- David W. Fenton http://www.bway.net/~dfenton David Fenton Associates http://www.bway.net/~dfassoc _______________________________________________ Finale mailing list [email protected] http://lists.shsu.edu/mailman/listinfo/finale
