Toby 0 Posted March 9, 2002 *WARNING* Save your work berfore following this link or it will be lost if you use XP. It will make you log off and will close all applications... http://www.krypton3d.com/xp Can't find any patch for this use of cmd.exe over at ms, hope they post one soon... What I would like to know is, does your AV-software detect this? Mine does not - Norton Corp 7.60 /Toby Share this post Link to post
sapiens74 0 Posted March 9, 2002 My av didnt neither did my Norton Internet Security Share this post Link to post
clutch 1 Posted March 9, 2002 Mine didn't either (McAfee Corp. 4.5.1) but this isn't a function of virus scanners. This is more of a command being issued to a program from within the program itself. It's a lot like when all those people that had their IIS servers attacked by Code Red/CRII and wound up getting infected. They wondered why their AV software (or firewalls) didn't protect them; it wasn't their job, that's why. The ability to execute this instruction will have to be patched by MS on this one. Share this post Link to post
Toby 0 Posted March 9, 2002 Yeah I know it's up to MS. But since I read that F-secure detect it as: Exploit.CodeBaseExec, I was intrested in what other AV-scanners could do /Toby Share this post Link to post
clutch 1 Posted March 9, 2002 I'm surprised that any would, but hey more power to them. Do you think that this was just some sort of signature-type update, or a behavior watching function? And if it was looking for this type of behavior, I wonder how it would tell the difference between something annoying/hostile and an intended behavior, like something setup on an Intranet or some sort of maintenance site. Share this post Link to post
Toby 0 Posted March 9, 2002 I really don't know, but it's my guess that it monitor temporary internet files for a spawn of a commandshell but thats just a guess. I have not seen this myself, it's just what I was told by a guy running F-secure. I'll check if there's a trail and try it myself Got nothing better to do anyway, just trying to ignore my hangover /Toby Share this post Link to post
Toby 0 Posted March 9, 2002 Ok, I tried it... It pops up with a warning and then logs me off So it catched it but couldnt do anything about it. Reinstalling NAV Corp... From EventLog: Event Type: Error Event Source: F-Secure Anti-Virus Event Category: None Event ID: 103 Date: 2002-03-09 Time: 20:50:24 User: N/A Computer: BTE1 Description: 2 2002-03-09 20:50:24+02:00 bte1 BTE1\Toby F-Secure Anti-Virus Malicious code found in file C:\Documents and Settings\Toby\Local Settings\Temporary Internet Files\Content.IE5\XMHHK7FI\xp[1].htm. Infection: Exploit.CodeBaseExec Action: none. /Toby Share this post Link to post
clutch 1 Posted March 9, 2002 LOL. Well, Outlook then "catches" it for me as well, since it asks me to close out any applications before shutdown. Share this post Link to post
sapiens74 0 Posted March 10, 2002 Yeah I had outlook running too hehe. But its no different then the windows update script that does the some thing Share this post Link to post