Deleting the Registry entry for a trojan only partially solves the problem. The Registry entry is usually used for persistence, so that the trojan will start up again upon reboot. If only the Registry entry is deleted, the trojan itself may still be running in memory. What needs to be done is that the admin needs to determine how the trojan got there in the first place, and then remove it completely. If the os and apps need to be reloaded from clean media, then the admin definitely needs to know how the trojan got there in the first place...otherwise, he's reinstalling the same holes and vulnerabilities all over again. --- Tom Gerritsen <jabbaat_private> wrote: > Op maandag 4 maart 2002 18:08, heeft Owen Creger > ons proberen te vertellen: > > rcon > > try to google > http://www.google.nl/search?q=rcon+trojan&hl=nl&lr= > > > I got this hit that you can use. > > http://www.glocksoft.com/trojan_list/Rcon_Recon_Xcon.htm > > Looks like some registry hacking. > Just go into regedit and press ctrl+f enter > runonce to search for. If he > finds it, above it you'll find the run key. > (searching for the word run > takes to long, because the registry is full of it... > ) Do this something like > 3 times, because the run key is used more then > once.. > > > > -- > GreetZz > Tom Gerritsen > jabbaat_private > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 08:50:29 PST