Re: Rcon trojan

From: H C (keydet89at_private)
Date: Tue Mar 05 2002 - 05:38:07 PST

Next message: Benninghoff, John: "RE: increase in ftp scanning"

Previous message: Baribault, Gary: "Re: increase in ftp scanning"
In reply to: Tom Gerritsen: "Re: Rcon trojan"
Next in thread: H C: "Re: Rcon trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Deleting the Registry entry for a trojan only
partially solves the problem.  The Registry entry is
usually used for persistence, so that the trojan will
start up again upon reboot.  If only the Registry
entry is deleted, the trojan itself may still be
running in memory.  

What needs to be done is that the admin needs to
determine how the trojan got there in the first place,
and then remove it completely.  If the os and apps
need to be reloaded from clean media, then the admin
definitely needs to know how the trojan got there in
the first place...otherwise, he's reinstalling the
same holes and vulnerabilities all over again.

--- Tom Gerritsen <jabbaat_private> wrote:
> Op maandag 4 maart 2002 18:08, heeft  Owen Creger
> ons proberen te vertellen:
> > rcon
> 
> try to google 
> http://www.google.nl/search?q=rcon+trojan&hl=nl&lr=
> 
> 
> I got this hit that you can use.
> 
>
http://www.glocksoft.com/trojan_list/Rcon_Recon_Xcon.htm
> 
> Looks like some registry hacking.
> Just go into regedit and press ctrl+f   enter
> runonce to search for. If he 
> finds it, above it you'll find the run key. 
> (searching for the word run 
> takes to long, because the registry is full of it...
> ) Do this something like 
> 3 times, because the run key is used more then
> once.. 
> 
> 
> 
> -- 
> GreetZz
> 			Tom Gerritsen
> 			jabbaat_private
> 
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
> 

__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Benninghoff, John: "RE: increase in ftp scanning"
Previous message: Baribault, Gary: "Re: increase in ftp scanning"
In reply to: Tom Gerritsen: "Re: Rcon trojan"
Next in thread: H C: "Re: Rcon trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 08:50:29 PST