Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-virus > 03 > 020090.html (Request Expert securityfocus.com Support)

RE: Backdoor.Redkod

From: Grimes, Roger <RogerG(at)GoldKeyresorts.com>
Date: Thu Feb 27 2003 - 14:44:33 EST


Fab,

There are ways around xFP (Windows File Protection or System File Protection), but they aren't stupid enough to let the originating file be modified in a direct manner as you suggest. Unless you know the ways around it (there are a few), it won't let you modify protected files or their sources. If it can't find a "good" file to replace the modified protected file, xFP will request original source media. The digital signatures of protected files are stored in protected catalog files and the xFP file caches are protected folders.

Roger 

*Roger A. Grimes, VP of IT for GK/PHR Holding Company
*Gold Key Resorts and Professional Hospitality Resources
*email:  rogerg@goldkeyresorts.com
*ph: 757-491-2101 x403
*fax:757-491-6550
*932 Laskin Road, Virginia Beach, VA 23451
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode/
***************************************************************************

-----Original Message-----
From: Fab Siciliano [mailto:fsiciliano@optiumcorp.com] Sent: Wednesday, February 26, 2003 4:49 PM To: 'H C'; focus-virus@securityfocus.com Subject: RE: Backdoor.Redkod

Well..what if it's patching netstat in the actual WFP cache folder..or wherever it grabs the "good" files from? Then WFP doesn't even matter.

Fab

> -----Original Message-----
Received on Thu Feb 27 15:29:36 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:38 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library