Incidents
Compromised Windows Server Jun 05 2006 07:27PM
Patrick Beam (patrick beam gmail com) (8 replies)
Re: Compromised Windows Server Jun 07 2006 02:19AM
Macleonard Starkey (macleonard auscert org au)
Re: Compromised Windows Server Jun 06 2006 03:20PM
Isaac Perez (suscripcions tsolucio com)
Re: Compromised Windows Server Jun 06 2006 03:09PM
Patrick Beam (patrick beam gmail com) (1 replies)
Re: Compromised Windows Server Jun 07 2006 02:10PM
Kees Leune (C J Leune uvt nl)
Re: Compromised Windows Server Jun 06 2006 11:32AM
Harlan Carvey (keydet89 yahoo com)
Re: Compromised Windows Server Jun 06 2006 08:09AM
Axel Pettinger (api worldonline de)
Re: Compromised Windows Server Jun 06 2006 02:39AM
Jason Ross (algorythm gmail com)
On 6/5/06, Patrick Beam <patrick.beam (at) gmail (dot) com [email concealed]> wrote:
> I believe that the ponoas.exe is some sort of rootkit although searching on
> google for this file name returns nothing. Also searching
> mwvsta.exereturns nothing. At this point I have removed these files
> from the system
> and registry but am weary that the server will get hit again. Has anyone
> had an experience with the following file or have any idea what rookkit of
> virus they are associated with?

I don't know about the ponoas.exe or msvsta.exe, but the rundll16.exe
is used in a few different worms/backdoors ... though not in
conjuction with the other two files that I can tell.

I'm fairly new to the security side of the IT house, so this is to be
taken with a healthy dose of skepticism, but presuming the symptoms of
known malware that uses rundll16.exe are not present (and that there
is a relationship between the mysterious processes and the rundll16
process) it may be that you have become infected with a new variant
(or a known one and the persons using it have loaded a new type of
malware onto the host) ...

either case isn't likely to be much fun to deal with i'm afraid =/

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas.
World renowned security experts reveal tomorrow.s threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
Re: Compromised Windows Server Jun 06 2006 02:38AM
pauls utdallas edu
Re: Compromised Windows Server Jun 06 2006 02:12AM
Jamie Riden (jamesr europe com)


 

Privacy Statement
Copyright 2010, SecurityFocus