Focus on Virus
stealth virus on explorer.exe Sep 28 2007 08:44AM
Isaac Perez Moncho (suscripcions tsolucio com) (4 replies)
Re: stealth virus on explorer.exe Oct 19 2007 11:21AM
Isaac Perez Moncho (suscripcions tsolucio com)
Re: stealth virus on explorer.exe Sep 29 2007 08:12AM
daniel (danderson310 gmail com)
Re: stealth virus on explorer.exe Sep 28 2007 11:26AM
T.I.M (theiceman ice gmail com) (1 replies)
RE: stealth virus on explorer.exe Sep 28 2007 04:33PM
Patrick Nolan (p nolan comcast net)
Your symptoms describe a process that is running in the same memory space as
the shell Windows Explorer. How it is running there is usually two
scenarios, but usually the same method of process injection.
* something is loading as an accomplice to the shell Explorer
* something is loading at Windows startup/login

T.I.M. mentioned using autoruns, a nifty utility from the Sysinternals
group, now a part of Microsoft:
http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx

Use the 'Hide Signed Microsoft Entries' option to minimize what is displayed
and probably focus on the extranneous that's running via the registry.

There is a third option that probably isn't what's going on, but it is
possible that something infected Explorer.exe with code that performs the
routine(s) and gives the symptoms that you mention.

Regards,

Patrick Nolan
technical writer
Microsoft Corp

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of T.I.M
> Sent: Friday, September 28, 2007 4:26 AM
> To: Isaac Perez Moncho; focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Re: stealth virus on explorer.exe
>
> use autoruns to see a complate Autoruns options in WINDOWS
> also try RunScanner
>
> On Fri, 28 Sep 2007 10:44:49 +0200, Isaac Perez Moncho
> <suscripcions (at) tsolucio (dot) com [email concealed]> wrote:
>
> > Hello all,
> > I have a computer infected with a virus that act like this:
> > explorer.exe start opening smtp connections to several ip's
> and url's
> > until it exceed the tcp limit of windows xp sp2.
> > If I kill explorer.exe and run again from task manager the virus
> > doesn't run anymore until reboot.
> > It seems that the booting process of windows pass a parameter to
> > explorer for launch the virus. But not found anything
> interesting or
> > clear in the registry or boot.
> > I used nod32 and panda active scan for cleaning with no result. I
> > alsoo used spybot, adaware and superantispyware with the
> same null result.
> >
> > Any ideas?
> >
> > Thanks
> >
>
>
>
> --
> ..:: T.I.M ::..
>
> --------------------------------------------------------------
> -------------
> This list is sponsored by: Black Hat
>
> Attend Black Hat USA, July 28-August 2 in Las Vegas, the
> world's premier technical event for ICT security experts.
> Featuring 30 hands-on training courses and 90 Briefings
> presentations with lots of new content and new tools.
> Network with 4,000 delegates from 70 nations. Visit product
> displays by 30 top sponsors in a relaxed setting.
>
> http://www.blackhat.com
> --------------------------------------------------------------
> -------------
>

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

[ reply ]
RE: stealth virus on explorer.exe Sep 28 2007 10:42AM
infos3c (infos3c gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus