Kirk, A couple of questions, if you don't mind... > Within the last couple of days, > my Windows 2000 Pro Workstation had Sub7 placed in > the \WINNT\SYSTEM32 folder, as well as the "Run" > registry key. It never installed, because my system > caught it. When you say your "system caught it", are you referring to the A/V software? I'm curious as to the specifics of this, as I've written several articles and papers regarding how to protect against this sort of thing by using the DACLs and SACLs available on the system itself, in addition to A/V products. > It was detected upon a reboot and > login - somehow previously circumnavigating NAV CE's > RealTime protection - by the logs, it WAS ACTIVE. What logs are you referring to? EventLogs? If so, what entries are you referring to? Did you have auditing for Process Tracking enabled? I've never seen what you've described...a well-known trojan making it onto a system, passed all of the security measures you describe, as well as realtime A/V protection. I'd be interested in hearing more about the situation. Particularly, aside from the A/V software and HotFixes, what other security measures were circumvented? Did you happen to run PULIST.EXE to determine the owner of the process? Was the trojan listening on the default port? Also, if you still have a copy of the .exe file, would you be willing to zip it up and send it to me? Thanks __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 13:32:11 PST