mailing list archives
Re: Hidden windows ports, files and services.
From: Mark Reis <mcr2z () cs virginia edu>
Date: Mon, 20 Dec 2004 17:01:14 -0500
I've discovered the answer to part 2 - the machine was infected by a
root kit that was intercepting all of system calls being issued by -
active ports, fport and such. I actually found myself being quite
impressed by this kit. Even running Dependency Walker and comparing it
with my test machine was negative.
The first clue was when I was inspecting the attributes on the system
dll, I found some discrepancies on the flags. This led to me ultimately
finding multiple duplicate DLLs in c:\windows\system32 called
somedll.dll.tmp. What it appeared to being doing was returning the sizes
and values of the original backed up files - thus masking the true trojans.