[Z] Follow up: Nasty new parasite
登录 | 论坛导航 -> 华新鲜事 -> 技术の宅 | 本帖共有 1 楼,分 1 页, 当前显示第 1 页 : 本帖树形列表 : 刷新 : 返回上一页
<<始页  [1]  末页>>
作者:Flying (等级:18 - 华新水车,发帖:16849) 发表:2004-06-08 18:00:20  楼主  关注此帖评分:
[Z] Follow up: Nasty new parasite
<From Spyware Weekly Newsletter>

Last month, I warned about a nasty new parasite (http://www.spywareinfo.net/may18,2004#parasite) that had been discovered. This parasite hides itself from Windows, is nearly impossible to detect and nearly impossible to remove.

It turns out our new parasite is protected by an open source NT rootkit called Hacker Defender. Hacker Defender installs a device driver which hooks the Windows API. It allows it to hide a directory with a particular name while allowing files to exist there, hide open ports from a port scanner while allowing connections to and from that port, hide processes in memory from process managers along with other cute tricks. Anything protected by Hacker Defender is a real pain to find and remove.

There is a possible method for removing this thing easily. This information is from a member of our message board who prefers to remain nameless. No guarantees that this will work.

In order to detect whether you are infected by HackDefender, please download this utility: http://bagpuss.swan.ac.uk/comms/RKDetectorv0%5B1%5D.62.zip

If you are infected you can try the following: If your system drive (usually C:) is formatted with the FAT32 file system, simply create a bootable floppy, boot from it, and delete the directory from the command prompt.

If your system drive is formatted with the NTFS file system, download Bart's PE builder from http://www.nu2.nu/pebuilder/ in order to create a pre installed environment cd image. Burn that image and boot using the CD, use then the utilities inside the PE in order to delete this folder.

You can read more on HackDefender here: http://bagpuss.swan.ac.uk/comms/hxdef.htm

It's also worth mentioning that if the computer in question boots more than one operating system and your other OS has access to that hard drive, then you can simply boot to the other OS and delete the directory and files with no interference.
Flying @way 吳穎暉
欢迎来到华新中文网,踊跃发帖是支持我们的最好方法!原文 / 传统版 / WAP版所有回复从这里展开收起列表
论坛导航 -> 华新鲜事 -> 技术の宅 | 返回上一页 | 本主题共有 1 篇文章,分 1 页, 当前显示第 1 页 | 回到顶部
<<始页  [1]  末页>>

请登录后回复:帐号   密码