Re: Sub7 (SubSeven), Win2k, and IE 5.5

[H C <keydet89 () yahoo com>]

Kirk,

A couple of questions, if you don't mind...

> Within the last couple of days,
> my Windows 2000 Pro Workstation had Sub7 placed in
> the \WINNT\SYSTEM32 folder, as well as the "Run"
> registry key. It never installed, because my system
> caught it. 

When you say your "system caught it", are you
referring to the A/V software?  I'm curious as to the
specifics of this, as I've written several articles
and papers regarding how to protect against this sort
of thing by using the DACLs and SACLs available on the
system itself, in addition to A/V products.

> It was detected upon a reboot and
> login - somehow previously circumnavigating NAV CE's
> RealTime protection - by the logs, it WAS ACTIVE.

What logs are you referring to?  EventLogs?  If so,
what entries are you referring to?  Did you have
auditing for Process Tracking enabled?

I've never seen what you've described...a well-known
trojan making it onto a system, passed all of the
security measures you describe, as well as realtime
A/V protection.  I'd be interested in hearing more
about the situation.  Particularly, aside from the A/V
software and HotFixes, what other security measures
were circumvented?  Did you happen to run PULIST.EXE
to determine the owner of the process?  Was the trojan
listening on the default port?  

Also, if you still have a copy of the .exe file, would
you be willing to zip it up and send it to me?

Thanks


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com