Sub7 (SubSeven), Win2k, and IE 5.5

From: Kirk Schafer (jogglieat_private)
Date: Wed Mar 20 2002 - 11:39:53 PST

Next message: H C: "Re: Sub7 (SubSeven), Win2k, and IE 5.5"

Previous message: Brian McWilliams: "Re: Major DNS cache poisoning at Verisign/WorldNIC"
Next in thread: H C: "Re: Sub7 (SubSeven), Win2k, and IE 5.5"
Reply: H C: "Re: Sub7 (SubSeven), Win2k, and IE 5.5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all, 

--- Note, I wrote this last week. If the list finally accepts it this time, please backdate the content several days ---

I ran a search of the two groups I'm submitting to and found nothing. Within the last couple of days, my Windows 2000 Pro Workstation had Sub7 placed in the \WINNT\SYSTEM32 folder, as well as the "Run" registry key. It never installed, because my system caught it. Since I am running the latest patches (as of two days ago, according to HFNETCHK), and I have a full scale corporate AntiVirus product active and installed, I can't imagine how this sucker ended up on my hard drive. It was detected upon a reboot and login - somehow previously circumnavigating NAV CE's RealTime protection - by the logs, it WAS ACTIVE. I don't have any world-accessable shares, and I am behind a stealth firewall NAT with non-routable IP's, and no NETBIOS routing. It is also not possible to disable NAV from the workstation - it's centrally managed, and frighteningly current. 

The only thing I can figure is that someone figured out how to drop files from IE 5.5 (with all the latest patches) from script but it isn't world-pervasive yet. Also, a month ago, a colleague was browsing the web, downloading Word files, and the exact same thing happened - the user saved from their "protected" station to a NetWare server, and (potentially) via some scripting, NAV's RealTime protection was skipped (although that protection was running - an hour later, it was found by the very same person when they accessed the file normally. Seems to point to IE again). Our trusted sites (zones) are well managed, and well, we're pretty well off. 

Has anyone had similar experiences over the last week or month? 

Thanks, 
Kirk 


------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Re: Sub7 (SubSeven), Win2k, and IE 5.5"
Previous message: Brian McWilliams: "Re: Major DNS cache poisoning at Verisign/WorldNIC"
Next in thread: H C: "Re: Sub7 (SubSeven), Win2k, and IE 5.5"
Reply: H C: "Re: Sub7 (SubSeven), Win2k, and IE 5.5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 12:11:40 PST