tag:blogger.com,1999:blog-9518042.post110319946259441474..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Data Hiding on Live SystemsUnknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-9518042.post-1103298532512335432004-12-17T10:48:00.000-05:002004-12-17T10:48:00.000-05:00Okay, two responses so far, and you guys are both ...Okay, two responses so far, and you guys are both on the right track. <br /><br />For some reason, not a lot of A/V companies point this out when they talk about how specific malware infects a system. The point is that if malware or a malicious user attempts to write a file called %WINDIR%\system32\svchost.exe, Windows File Protection (if no steps have been taken to disable it) will "wake up" and replace that file with the known good from the dllcache directory and write an entry to the Event Log.<br /><br />Remember the "Teddy Bear" virus hoax? This was the email that was going around a while back that stated that the user should delete "jdbgmgr.exe"...a file which had a teddy bear as an icon. On Windows 2000, this file is protected by WFP, which is good, b/c one of the users at the company I was at deleted the file, *then* told me about the email.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1103227454539296622004-12-16T15:04:00.000-05:002004-12-16T15:04:00.000-05:00There's already a svchost.exe in %SystemRoot%\Syst...There's already a svchost.exe in %SystemRoot%\System32 and I don't think you want to mess with it...Anonymoushttps://www.blogger.com/profile/13441809988487585009noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1103208067156266132004-12-16T09:41:00.000-05:002004-12-16T09:41:00.000-05:00"Put it in a temp directory and call it "svchost.e...<I>"Put it in a temp directory and call it "svchost.exe" (10 points to anyone who can tell me why writing that file to the system32 directory won't be effective)."</I>Is there something to do with system32\dllcache\ or Windows File Protection?Anonymoushttps://www.blogger.com/profile/13441809988487585009noreply@blogger.com