I see. For some reason, I was thinking he couldn't see it in systemprocess, but now that I think about it, you are correct. So it was hiding but not very well, therefore not the true trojan/rootkit hybrid. Thanks Peter.
> -----Original Message----- > From: Peter Kruse [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 21, 2004 11:33 AM > To: Todd Towles; [EMAIL PROTECTED] > Subject: SV: [SPAM] RE: [Full-Disclosure] interesting trojan found > > Hi Todd, > > >But if it is a rootkit, does it not hide from normal AV scanning? > > Nope, you'll see it in the systemprocess, but since it's > active in memory, you won't be able to end it. > > The trojan is a RDBot variant (Spybot). Like other variants, > from this string, it spreads across local and remote > networks. It's uses several exploits to compromise unpactched > MS Windows boxs, as well as searches for shares with weak > passwords. When executed, it creates a mutex "[rxBot v0.6.5 > pk + ftpd]". If another instance of this worm is already > running, it will exit. The malware carries a backdoor that > allows a malicious user to control the infected host through > IRC channels. As stated in the first posting, it droppes a > copy of itself to the windows system folder. Nextup it > modifies registry with several runas keys under the value > "update run msword". > > This RDbot includes a keylogger, that will log all keyboard > activity and save this to a text file. A remote user can > collect this information through IRC and possibly gain access > to others services. > > --- > Med venlig hilsen // Kind regards > > Peter Kruse, Voice: (+45) 88136030 > Security- and virusanalyst, Cel (+45) 28490532 > CSIS ApS Fax (+45) 28176030 > http://www.csis.dk E-mail [EMAIL PROTECTED] > > PGP fingerprint > 79FD 0648 158E 6B9E 236F CFDA 7C58 64D6 BE83 FA60 > > Combined Services & Integrated Solutions Gevno Gade 11a 4660 > Store Heddinge, Denmark > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
