Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Looking for a tool
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 4 Mar 2004 12:57:09 -0800 (PST)


ok i was not speculating, this proecess is a win32
service. these types of images cannot be stopped by
a admin from the process manager, they have to be
stopped from the serives mmc under the
admininstative tools in contol panel. 

since this is exactly what the first post described
i said it was a service.

I'm subscribed to the list...and I never saw anything
from Paul to show that this is a service.  Is there a
Registry key?  Was there any enumeration via the SCM? 
 
Based on Paul's initial description, you're
correct...but as I pointed out, there isn't enough
hard information.  I've dealt with IR cases before
where the administrator swore that the malicious
process (an IRC bot) was "hidden" from the Task
Manager, when it was simply named something other than "maliciousIRCbot.exe".

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]