Focus on Virus
RE: stealth virus on explorer.exe Oct 12 2007 10:29PM
John Hall (securityfocus neovolo com)
This "virus" has much of the same behavior as the Nail.exe application that
I've found on multiple machines. Some suggestions I might make would be
(depending on your skill level):

1) If you are pretty comfortable in the registry, check out
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and
review the value of string value "Shell". I've seen applications tack
themselves into this string and be executed in with Explorer. It is normally
not shown in the task manager either.

2) If you aren't comfortable in the registry, reboot the machine into
Safe Mode and see if it still occurs. Safe Mode is used because no user
startup tasks are evaluated and if it is still running in Safe Mode, there's
a pretty safe bet its either loading as a BHO, driver, or as part of the
shell.

If either of these two things proves to be the case, then to rid yourself of
it, you will have to take some interesting steps. Evaluation what I've
provided and let us know. Thanks!

John Hall (securityfocus (at) neovolo (dot) com [email concealed])
Technological Solutions Team
Neovolo - New Life to Business SolutionsT
http://www.neovolo.com

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.488 / Virus Database: 269.14.8/1064 - Release Date: 10/11/2007 3:09 PM

------------------------------------------------------------------------
---
This list is sponsored by: Black Hat

Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.

http://www.blackhat.com
------------------------------------------------------------------------
---

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus