NOTICE: This is a case study, based on real life correspondence from an actual client incident. All personal/company identities and other sensitive information such as domain names and external addresses had been censored to protect the innocent.
From: | Sam Chan |
Sent: | Friday, February 24, 2006 11:30 AM |
To: | All |
Subject: | Security Incident Response session captures |
See also: Original Report & Analysis associated with these capture images
This was your first (and only) visible sign of trouble. The toolbar.
This is the bogus "debugging tool" error I got, and the associated pop-up window. It's blank because it's only partially successful, the program failed to obtain content to display in the window, as it's blocked by KPF.
The one erroneously created firewall rule, during your frantic attempt to stop the stream of prompts:
A few of the planted startup items:
The spyware setup a system "service" and by nature running invisibly, as
shown by PsExplorer:
Built-in pages such as search, about:blank, etc. were all replaced by spyware
versions: