Carilda A Thomas <[EMAIL PROTECTED]> wrote: >I have been looking but I cannot find a list all in one >place of the various illegitimate files that various worms >and trojans install into Microsoft systems.
What'd really help here is a list of MD5 checks for "known bad" binaries. Obviously a custom build of sdbot or just a simple hexedit would defeat this, but such a list would still have value against automated attacks, etc. > Perhaps I should clarify about this list thing: A friend > of mine is apparently running a rogue email server and a > rogue ftp server, and none of the virus checkers we have > tried will determine what program or where. I looked for > a windows equivalent to lsof but there doesn't appear to > be one - Sysinternals has applications that, taken in combination, do much of what 'lsof' does under Unix. Specifically, tcpview (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you any listening sockets, the associated process, and the location from which the process launched. This should suffice to locate a rogue FTP service on a Windows PC. the one I found can only determine the program if > it sees a packet go by and cannot find a quiescent > program. The A/V checkers do not flag an email server, > considering it a legitimate program. Task manager is also > destroyed, so there is no help there. I was hoping to > find a list of illegitimate files for which I could check. Assuming the attacker is competent, the only way to "clean" a deeply compromised machine is to reformat the drive and start from scratch. The truly paranoid will question whether just formatting the drive is sufficient. Kevin Kadow _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
