Jump to content
Compatible Support Forums
Sign in to follow this  
Toby

This is not good at all...

Recommended Posts

*WARNING* Save your work berfore following this link or it will be lost if you use XP. It will make you log off and will close all applications...

 

http://www.krypton3d.com/xp

 

Can't find any patch for this use of cmd.exe over at ms, hope they post one soon...

 

What I would like to know is, does your AV-software detect this?

Mine does not - Norton Corp 7.60

 

/Toby

Share this post


Link to post

Mine didn't either (McAfee Corp. 4.5.1) but this isn't a function of virus scanners. This is more of a command being issued to a program from within the program itself. It's a lot like when all those people that had their IIS servers attacked by Code Red/CRII and wound up getting infected. They wondered why their AV software (or firewalls) didn't protect them; it wasn't their job, that's why. The ability to execute this instruction will have to be patched by MS on this one.

Share this post


Link to post

Yeah I know it's up to MS. But since I read that F-secure detect it as: Exploit.CodeBaseExec, I was intrested in what other AV-scanners could do smile

 

/Toby

Share this post


Link to post

I'm surprised that any would, but hey more power to them. Do you think that this was just some sort of signature-type update, or a behavior watching function? And if it was looking for this type of behavior, I wonder how it would tell the difference between something annoying/hostile and an intended behavior, like something setup on an Intranet or some sort of maintenance site.

Share this post


Link to post

I really don't know, but it's my guess that it monitor temporary internet files for a spawn of a commandshell but thats just a guess. I have not seen this myself, it's just what I was told by a guy running F-secure. I'll check if there's a trail and try it myself smile

 

Got nothing better to do anyway, just trying to ignore my hangover laugh

 

/Toby

Share this post


Link to post

Ok, I tried it... It pops up with a warning and then logs me off laugh

So it catched it but couldnt do anything about it. Reinstalling NAV Corp...

 

From EventLog:

 

Event Type: Error

Event Source: F-Secure Anti-Virus

Event Category: None

Event ID: 103

Date: 2002-03-09

Time: 20:50:24

User: N/A

Computer: BTE1

Description:

2 2002-03-09 20:50:24+02:00 bte1 BTE1\Toby F-Secure Anti-Virus

Malicious code found in file C:\Documents and Settings\Toby\Local Settings\Temporary Internet Files\Content.IE5\XMHHK7FI\xp[1].htm.

Infection: Exploit.CodeBaseExec

Action: none.

 

/Toby

Share this post


Link to post

LOL. Well, Outlook then "catches" it for me as well, since it asks me to close out any applications before shutdown. laugh

Share this post


Link to post

Yeah I had outlook running too hehe.

 

 

But its no different then the windows update script that does the some thing

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×