One question that I am pretty sure of the answer of is did the users have Admin or Power User status? One person asked in the ISC comments that question and I think someone on this list just asked the same or similar question. I am seen something similar but when the popup appears a User can go to Task Manager and kill the process and it does not appear to get infected. At least in Vista. All the users I have seen get infected by various thing all were running as Administrator, on XP they don't even get a popup telling them something is installing. So far my Vista clients have just closed out or restarted the machine and missed the bullet.
Jon On Fri, Sep 4, 2009 at 12:06 PM, Tim Evans <[email protected]> wrote: > Sans has a decent write up of what it does: > http://isc.sans.org/diary.html?storyid=7066 > > > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Friday, September 04, 2009 8:33 AM > To: NT System Admin Issues > Subject: Re: Windows Police Pro > > On Fri, Sep 4, 2009 at 11:21 AM, Micheal Espinola > Jr<[email protected]> wrote: > > If you havent heard of it already, start Googling it. > > Got a link to decent tech info with, e.g., infection vectors and > attack mechanisms? All I find is removal instructions and the usual > mass confusion in online forums (the same kind that are full of people > asking if NTOSKRNL.EXE is a virus). > > I'm particularly interested in whether it's exploiting any special > security exposures, or if it's just your typical malware that depends > on luser stupidity and admin rights to get into the computer. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
