HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
C:\Documents and Settings\username\Application Data\Microsoft\svcchost.exe
Beacons:
1 0.000000 10.1.1.9 10.1.1.1 DNS Standard query A xdemonx.selfip.org
2 0.000590 10.1.1.1 10.1.1.9 DNS Standard query response A 96.18.166.50
3 0.000895 10.1.1.9 96.18.166.50 TCP 1588 > 3085 [SYN] Seq=0 Win=16384 Len=0 MSS=1460
Reported to McAfee. They actually have some decent advice for finding runkeys:
On Windows XP systems, click START RUN, type MSCONFIG and hit ENTERClick the Startup tab.
A McAfee monkey in Bangalore produced a signature and sent back an extra.dat file in just a few minutes. Mission accomplished.
No comments:
Post a Comment