Hi Alison, Similar problem, variant of xpaj. File infection virus with heavy encryption.
It is spreading using mapped network shares and form pcap logs does not seem to be taking the approach of actively jumping hosts. It is not as far as I can tell using remote exploits. Its first action is to load and inject itself into svchost, explorer and really any process it can. This is what id like to stop to buy time and the easy way would be not to have administrative logins but now long past that stage. So I'm curious if there is a process to disable dll injection or set *NT* loader *lock, hook debug apis myself and disable them or similar to prevent it *going* resident. * If not I may try and take it on as a side project to see if I can come up with something. Thanks, Pat On Mon, Oct 22, 2012 at 4:02 PM, allison nixon <[email protected]> wrote: > >DLL injection > > What exactly are you talking about here? Is this an outbreak of some worm > that abuses a windows networking protocol? Like something Conficker-ish? > > Make sure a machine is patched against these vulnerabilities before > putting them on the network. The latest patch ought to do it. Also using > firewalls to block ports used by the vulnerable service should help. > > On Sun, Oct 21, 2012 at 11:25 PM, Pat <[email protected]> wrote: > >> Hi Guys, >> >> I'm pitching in to try and contain/slow/delay an outbreak while av >> signatures have a chance to catch up and lessons are being learned the hard >> way. >> >> Is there any software tools available that can disable or block DLL >> injection. This could help us slow down the spread. >> >> (its far too late to suggest not running as admin in a 2k3 enviroment) >> >> >> >> Regards, >> Pat >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > _________________________________ > Note to self: Pillage BEFORE burning. > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
