Help
*WARNING* Save your work berfore following this link or it will be lost if you use XP. It will make you log off and will close all applications...
http://www.krypton3d.com/xp
Can't find any patch for this use of cmd.exe over at ms, hope they post one soon...
What I would like to know is, does your AV-software detect this?
Mine does not - Norton Corp 7.60
/Toby
Page 1 of 1
This is not good at all...
#3
clutch 
- Carpal Tunnel
-
- Group: Moderators
- Posts: 3859
- Joined: 29-March 00
Posted 09 March 2002 - 08:44 PM
Mine didn't either (McAfee Corp. 4.5.1) but this isn't a function of virus scanners. This is more of a command being issued to a program from within the program itself. It's a lot like when all those people that had their IIS servers attacked by Code Red/CRII and wound up getting infected. They wondered why their AV software (or firewalls) didn't protect them; it wasn't their job, that's why. The ability to execute this instruction will have to be patched by MS on this one.
#5
clutch
- Carpal Tunnel
-
- Group: Moderators
- Posts: 3859
- Joined: 29-March 00
Posted 09 March 2002 - 09:36 PM
I'm surprised that any would, but hey more power to them. Do you think that this was just some sort of signature-type update, or a behavior watching function? And if it was looking for this type of behavior, I wonder how it would tell the difference between something annoying/hostile and an intended behavior, like something setup on an Intranet or some sort of maintenance site.
#6
Toby
- enthusiast
- Group: Members
- Posts: 313
- Joined: 17-January 00
Posted 09 March 2002 - 09:48 PM
I really don't know, but it's my guess that it monitor temporary internet files for a spawn of a commandshell but thats just a guess. I have not seen this myself, it's just what I was told by a guy running F-secure. I'll check if there's a trail and try it myself 
Got nothing better to do anyway, just trying to ignore my hangover
/Toby
Got nothing better to do anyway, just trying to ignore my hangover
/Toby
#7
Toby
- enthusiast
- Group: Members
- Posts: 313
- Joined: 17-January 00
Posted 09 March 2002 - 10:55 PM
Ok, I tried it... It pops up with a warning and then logs me off
So it catched it but couldnt do anything about it. Reinstalling NAV Corp...
From EventLog:
Event Type: Error
Event Source: F-Secure Anti-Virus
Event Category: None
Event ID: 103
Date: 2002-03-09
Time: 20:50:24
User: N/A
Computer: BTE1
Description:
2 2002-03-09 20:50:24+02:00 bte1 BTE1\Toby F-Secure Anti-Virus
Malicious code found in file C:\Documents and Settings\Toby\Local Settings\Temporary Internet Files\Content.IE5\XMHHK7FI\xp[1].htm.
Infection: Exploit.CodeBaseExec
Action: none.
/Toby
So it catched it but couldnt do anything about it. Reinstalling NAV Corp...
From EventLog:
Event Type: Error
Event Source: F-Secure Anti-Virus
Event Category: None
Event ID: 103
Date: 2002-03-09
Time: 20:50:24
User: N/A
Computer: BTE1
Description:
2 2002-03-09 20:50:24+02:00 bte1 BTE1\Toby F-Secure Anti-Virus
Malicious code found in file C:\Documents and Settings\Toby\Local Settings\Temporary Internet Files\Content.IE5\XMHHK7FI\xp[1].htm.
Infection: Exploit.CodeBaseExec
Action: none.
/Toby
Share this topic:
Page 1 of 1