Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Undetectable backdoor! help

from [Corey Watts-Jones] Network Security [Permanent Link]
Subject: RE: Undetectable backdoor! help
Date: Thu, 8 Dec 2005 08:28:14 -0500 
"HKLM\Software\Microsoft\Windows\Windows NT\Current Version\Winlogon"

In that key, you'll see an entry for the windows Shell. I've come across a
few viruses/spyware/adware programs that modify this reg. entry to make
their process load as part of the Windows shell (in XP at least). It should
say nothing other than "Explorer.exe" in the shell info, if you see
something like "Explorer.exe C:\Windows\System32\Nail.exe" or something like
that, you've got a problem. The processes can't be killed after the machine
has started up as it integrates itself into the shell. Same goes for other
Winlogon.exe entries. 

Something worth checking out. 

Corey Watts-Jones
BIT Incorporated
Systems Support Specialist

-----Original Message-----
From: Marco Monicelli [mailto:marco.monicelli@marcegaglia.com] 
Sent: Tuesday, December 06, 2005 11:39 AM
To: Technica Forensis
Cc: forensics@securityfocus.com; manda@ecrmeurope.com
Subject: Re: Undetectable backdoor! help
Importance: High

Actually, the virus you mentioned is not the one he's searching for.
Infact, the infected .exe he talk about is winlogon.exe and the one
mentioned in the link you provide is explorer.exe.

Moreover, if he tries many updated AV with no success, I bet it's pretty
tough that you find a description of it on a website. Beside, if you put
"winlogon.exe+backdoor" inside your Google friend, you'll have plenty of
results and my suggestion is to look at them in order to see if the one
that is infecting the computer it's just a so-called variant of a known
virus. A virus variant can be undetected when properly modded.

Just my 2 cents

Marco





                                                                           
             Technica Forensis                                             
             <forensis.technic                                             
             a@gmail.com>                                               To 
                                       "manda@ecrmeurope.com"              
             05/12/2005 21.10          <manda@ecrmeurope.com>              
                                                                        cc 
                                       forensics@securityfocus.com         
                                                                   Subject 
                                       Re: Undetectable backdoor! help     
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




http://www.avira.com/en/threats/TR_Proxy_Mitgl_DQ_1_details.html


On 2 Dec 2005 08:51:29 -0000, manda@ecrmeurope.com <manda@ecrmeurope.com>
wrote:

Recently I have been infected with SpySheriff spyware. I removed

everything, using tools like HiJackthis, AdAware, Ewido, Trojan Hunter,
Kaspersky Antivirus, Free-AV, A-squared. I then reinstalled Windows (XP
SP2) and updated it to the day.

However, I've found out that at random intervals, my computer was having

CPU spikes and network traffic coming from winlogon.exe. Further
examination shows it connects to https.manwithnoname.biz through http (port
80) then it starts mass mailing or doing whatever the scripts taken from
that site tell it to do. The process is winlogon.exe, but the file is
unmodified. Obviously I can't close the process, since it is a system
process. There is not a winlogon.exe in another directory than
windows\system32, there are no registry or startup keys that start anything
suspicious, yet this happends. Thousands of antivirus and antispyware
software fail to detect it and there is no google page that contains
https.manwithnoname.biz. Please help me out!

Thanks
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Undetectable backdoor - DETECTED, Costin Manda
Next by Date:  Re: Undetectable backdoor - DETECTED, Michael Cecil
Previous by Thread:  Re: Undetectable backdoor! help, Marco Monicelli
Next by Thread:  Re: Undetectable backdoor! help, Daniel Horning
Indexes:  [Date] [Thread] [Top] [All Lists]