F-Secure: Sometimes Those Error Messages Actually Mean Something
Image source: F-Secure
Mika writes over on the F-Secure "News from the Lab" Blog:
Removing spyware from a computer is becoming an increasingly difficult task. Look2Me, a displayer of pop-up advertisements, is a good example of a persistent malware application that just won't go away. It uses some interesting techniques to remain installed.More here.
Look2Me hooks into the winlogon process as a notification package. If the user tries to unregister the notification package, it is immediately reinstated. Look2Me also removes the administrator group's debug privileges and thereby disables the user from interfering. This, along with some other tricks, makes manual removal close to impossible.
The removal of the debug privileges has resulted in some BlackLight support calls for us. And so, even though it doesn't have any rootkit functions, the SeDebugPrivilege error inadvertently turns our BlackLight tool into a Look2Me detector!
One of our researchers has spent a good deal of time fighting with Look2Me and the result is a removal tool that can be downloaded from here.
posted by Fergie @ 4/26/2006 06:48:00 AM
0 Comments:
Post a Comment
<< Home