The only antivirus I have tried so far is Microsoft Security Essentials. And it finds nothing, which I certainly don't trust at all. Especially because it shows a very unusual certificate alert during the setup. I also scanned a few files that I chose (some dll and services) on VirusTotal with no results except some false positive. I also had a look on the disassembly of these files. So, I don't know what it is, but if it is a rootkit it is not a trivial one and I am afraid it is smarter than me :)
--- phocean Le 12 juil. 2012 à 15:33, Mikhail A. Utin a écrit : > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Thursday, July 12, 2012 4:40 AM > To: [email protected] > Subject: Full-Disclosure Digest, Vol 89, Issue 15 > > Send Full-Disclosure mailing list submissions to > [email protected] > > > > I've had very similar case of downloading software and getting a malware. I > wanted just to get it fixed, so wheither a virus, or worm, or rootkit I do > not know. > Symptoms were disabled Windows update and Windows networking. TCP in general > worked. > I found malicious files (just a few) using one of security tools running > under Linux CD-bootable to check consistency of Windows files. First I tried > three AV systems (F-Secure, Kaspersky and Symantec), but they were useless. > Finally, from Linux I was able to find files having inconsistent attributes, > as far as I remember - the size and modification date. > > Nothing of particular, but: AV systems identify less than 90% of malware > (both forward and backward tests), when downloading freeware stuff a virtual > machine is the best option, and if after just installing of freeware Windows > screw up, it is obvious what is the reason for. > > Mikhail > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 12 Jul 2012 00:46:33 +0300 > From: Alexandru Balan <[email protected]> > Subject: Re: [Full-disclosure] suspicion of rootkit > To: phocean <[email protected]> > Cc: [email protected], [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Tried checking it with an AV ? > http://quickscan.bitdefender.com > > On Jul 12, 2012, at 12:06 AM, phocean wrote: > >> The machine is Windows XP SP3 quite up-to-date, but not fully. Except that >> Windows Update is not working anymore. >> One of the symptoms. >> >> I described the issues there: >> http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html >> http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html >> >> You will see why some symptoms make me think about a rootkit. >> >> You are right, it could be some Windows being messed up. >> But it actually happened on a pretty fresh install: I finished setting XP >> and tens of analysis tools (I aimed this box to be my fresh reversing >> system). >> So even if possible, it sounds strange that a machine gets corrupted so >> quickly. And of course, I suspect some of these tools, got from multiple >> downloads. >> At last, I could analyse them one by one of course, but there are many so it >> would be painful (and I am not sure that I kept all setups). >> >> --- phocean > CONFIDENTIALITY NOTICE: This email communication and any attachments may > contain confidential > and privileged information for the use of the designated recipients named > above. If you are > not the intended recipient, you are hereby notified that you have received > this communication > in error and that any review, disclosure, dissemination, distribution or > copying of it or its > contents is prohibited. If you have received this communication in error, > please reply to the > sender immediately or by telephone at (617) 426-0600 and destroy all copies > of this communication > and any attachments. For further information regarding Commonwealth Care > Alliance's privacy policy, > please visit our Internet web site at http://www.commonwealthcare.org. >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
