lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040609173951.90988.qmail@web51510.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: tvm.exe / poll each.exe / blehdefyreal toolbar

Mark,
 
> The idea here is to learn something from it.
> Reformatting the system is
> a good idea, but before that takes place it'd be
> nice to learn what the
> thing actually is and how it works. 

"Once you understand the nature of a thing, you know
what it's capable of." - Blade

> This thing respawns itself without a reboot. Loading
> Tiny Personal
> Firewall apparently prevents it from respawning. TPF
> does something
> about preventing code from being injected into a
> process, so maybe
> that's why TPF keeps it at bay. 

Ok, so it performs DLL injection.  Does the user
account being used on the system have the privilege to
debug programs?
 
> This isn't on any system I use or manage. It's on a
> collegue's system
> and I am trying to help find a way to figure out
> what it does, how to
> get it shut down permanently, removed if possible. 

I'll provide some input on this.  First, run several
tools to get information from the
system...pslist/tlist/handle/listdlls to get process
information, openports to get process-to-port mapping
info (use both '-netstat' and '-fport' switches). 
Check the usual Registry entries where this stuff
likes to hide...map unusual entries there to DLLs
injected into processes, if this is what's happening...


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ