Security Basics mailing list archives

Re: Idiot_self+trojans+administrative privs = Disaster

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 5 Dec 2006 16:55:12 +0100

On 2006-12-01 wymerzp () sbu edu wrote:

Anyway, I have a Trojan that I can't seem to get rid of:
Trojan.Popuper.Downloader. 
This is the result of a Scan by Spyware Doctor Scan Results: (edited
to just show location)
C:\Program Files\BitTorrent\uninstall.exe 
C:\Program Files\CCleaner\uninst.exe


I'm not familiar with Spyware Doctor. Does the above mean it detected
the trojan horse in those files?

C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP233\A0427654.exe


That looks like a restore point of Windows' System Restore feature.
Either the trojan horse managed to write itself to that location (or
infect a file already present there), or it got there when System
Restore created a restore point.

I attempted to access the C:\System Volume Information... file but it
would not allow me to access this;


As per default the "System Volume Information" folder is accessible only
by the user SYSTEM. However, as an administrator you can take ownership
of that folder and assign access permissions to yourself.

[...]

I was considering running as System permissions to manually uninstall
the restore loction, but didn't want to give the Trojan any more power
(Administrator is bad enough).


Anything running with admin privileges can assign itself any other
privilege it might need, so altough it would still have been unnecessary
to run anything as SYSTEM, it wouldn't have made any difference.

On the third time of removing and rebooting the infection is no longer
being picked up by Spyware Doctor... My question that I pose to the
online community is this: Do you think the infection is actually gone?


No.

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Lather. Rinse. Repeat.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Current thread:

Idiot_self+trojans+administrative privs = Disaster wymerzp (Dec 04)
- RE: Idiot_self+trojans+administrative privs = Disaster Murda Mcloud (Dec 06)
- Re: Idiot_self+trojans+administrative privs = Disaster Ansgar -59cobalt- Wiechers (Dec 06)
- Re: Idiot_self+trojans+administrative privs = Disaster Bob Jones (Dec 06)
- RE: Idiot_self+trojans+administrative privs = Disaster Wheeler, Eric (Dec 06)
  - RE: Idiot_self+trojans+administrative privs = Disaster Wheeler, Eric (Dec 06)
- <Possible follow-ups>
- Re: Idiot_self+trojans+administrative privs = Disaster mrigor (Dec 06)