Help please, I think I'm trojanned!

[Warrior]

There is no macron in latin, it's a little thing added to help with the sounds (long vs short letters)

[brew]

I also took 4 years of Latin.  The macron is used in teaching Latin because it helps forming sounds, but ancient Latin didn't have a macron, or even a lower case, actually.  Anyway, my point is, it's vir, a regular 3rd declension masculine noun, and virus, a regular 2nd declension masculine noun.

Rabbit, you're an idiot. We call it a macron-- they didn't call it anything.  It's just a "long vowel". And if you look at ancient roman ruins you would see, they DO use macrons in their text. One more thing-- vir is NOT a 3rd declention noun, it's 2nd. Go look anywhere, puh-lease. Stop trying to outsmart me, especially in Latin. I am a three time ACL/NJCL National Latin Exam Summa cum laude winner (gold metal). So really, sum possum dicere Latinum perfectum. Et tu?

EDIT*** Also, you're wrong. Virus is neuter.

[Newby]

Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.

2600? That's pretty far off into the future. Internal leak?

[brew]

Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.

2600? That's pretty far off into the future. Internal leak?

...5.1.2600.

[Warrior]

... Did you seriously call Windows XP by its build number? Moron.

[Barabajagal]

You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.

[Kp]

Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.

There would not be much point in having the concept of privilege if low privileged users could tamper with highly privileged processes.  That said, I have read that XPHome skips security checks, so it might allow the behavior you are worried about.  I know that XPPro does not allow it.  Hopefully, someone will report whether XPHome enforces the relevant checks.

You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.

A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights.  It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.

[Barabajagal]

You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.

A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights.  It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.

In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL .

[Joe[x86]]

... Did you seriously call Windows XP by its build number? Moron.

Why wouldn't he, if he's discussing a trojan for a specific build of Windows?

By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed.

[Newby]

x86] link=topic=16626.msg168251#msg168251 date=1177263258]

... Did you seriously call Windows XP by its build number? Moron.

Why wouldn't he, if he's discussing a trojan for a specific build of Windows?

By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed.

The trojan was specific to his build of Windows? This is incredible. Now they're writing trojans for specific operating systems written hundreds of years in the future. What will malware writers do next? Write trojans for people's clothing?

I also don't get the "try at being witty" comment.

[Warrior]

x86] link=topic=16626.msg168251#msg168251 date=1177263258]

... Did you seriously call Windows XP by its build number? Moron.

Why wouldn't he, if he's discussing a trojan for a specific build of Windows?

By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed.

Because unless you're using a Beta version of XP, the RTM build number is 2600. It can be assumed that 99.9% of the Computers running XP are running build 2600. It's really retarded to call it anything else. It's Windows XP and nothing fundementally changes build to build if (and only if) there so happens to be a build revision in the near future.

[Kp]

You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.

A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights.  It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.

In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL .

Doing that would require an insecure DACL on the files and/or directories used by the target process.  Although possible, it would be rather silly to see a process where someone managed to get the process DACL right, but left the file DACLs insecure.

[Barabajagal]

You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.

A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights.  It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.

In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL .

Doing that would require an insecure DACL on the files and/or directories used by the target process.  Although possible, it would be rather silly to see a process where someone managed to get the process DACL right, but left the file DACLs insecure.

I've never found a program I can't make a copy of and edit.

[Skywing]

No way to know for sure without reverse engineering the particular piece of malware in question.

Exactly why I am interested in reverse engineering this malware.

You're probably not interested in reverse engineering it.  If you don't, and nobody else has (with verification that the code on your box is identical), then you should wipe the system clean.

[Skywing]

I've never found a program I can't make a copy of and edit.

That doesn't really get you anything.  You'll have no way to place the modified version of the binary where it will be run, assuming file ACLs are set properly and the lack of a security hole allowing an unprivileged user to convince a privileged process to load a binary from an untrusted location.

If you run the modified version of the binary yourself, it will be executing with the privileges of your (unprivileged) account and thus will not be able to perform things outside the sandbox of that user account.