| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4138D1FF.2060104@tiscali.it> From: scenobro at tiscali.it (Scenobro) Subject: Where to submit a suspected trojan or virus? Harlan Carvey wrote: >The fact that there's a copy of this Explorer.exe in >System32 may be an issue. > >Was there an application running? Was there a >Registry entry related to this file? If so, which >one? How about another autostart location? > >What do you mean by "I believe take precedence over >the real explorer.exe"? how so? > > > Well, actually I discovered it, using autoruns from sysinternals. The registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell had simply the value "Explorer.exe" and autoruns showed as the image path: "c:\windows\system32\explorer.exe" Autoruns also showed the icon of the file and it was the wrong icon, it had the icon of internet explorer not explorer. This led me to search for the real explorer.exe and google confirmed that the right location is c:\windows. Once deleted the fake explorer.exe from system32 autoruns showed the right image path and the right icon. Today I sent it to kaspersky lab and they said it's a simple trojan-downloader. I think that the fake explorer.exe call the real one after having downloaded his trojan. The problem now is that the file it downloads is no more avalaible (it was at "http://www.getupdate.com/TestDownload.exe") and I can't tell if I have downloaded it and in such case what does it do...
Powered by blists - more mailing lists