|
Posted by =?Utf-8?B?UGFuZGFfbWFu?= on December 8, 2006, 10:41 am
If you were Registered and logged in, you could reply and use other advanced thread options
> On Wed, 6 Dec 2006 13:41:00 -0800, Panda_man
>
> >Hello . Why do you think that this particular pages exploites this
> >vulnerability? The VML exploit is definitely patched.To me , personally ,
> >this name (Troj/DwnLdr-FSA) means nothing . It can be regular trojan
> >downloader
>
> I am not completely certain, as you should be able to tell from my
> note. However, visiting the page causes the installation of a service
> named !!!!, which installs a driver called hide_evr2.sys, which does
> the rootkit part. It copies a file called 9129837.exe to c:\windows
> and adds entries to the registry to run the service and the exe on
> startup. The driver hooks the system sufficiently to make the
> registry entries and the two files invisible to Explorer and Regedit,
> but not to cmd.exe (probably a bug in the rootkit part).
>
> The reason I suspected the VML exploit is this:
> http://www3.ca.com/blogs/posting.aspx?id=90744&pid=93273&date=2006/9
>
> Regardless of whether this is specifically a VML exploit, it almost
> certainly illustrates a current Windows vulnerability. I was hoping
> someone could point so some MS documentation on this as I can't find
> any.
>
Sorry for the late response . It seems you know more that me about this
threat
I noticed you have discusses the problem with David , you are in good hands
:) :)
--
Panda_man
Silver level Contributor
| 
XML site map