http://blogs.technet.com/b/markrussinovich/archive/2011/05/10/3422212.aspxIn the first post of this series , I used Autoruns , Process Explorer and VMMap to statically analyze a Stuxnet infection on Windows XP. That phase of the investigation revealed that Stuxnet infected multiple processes, launched infected processes thaten-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/markrussinovich/archive/2011/05/10/3422212.aspx#3430690Fri, 20 May 2011 16:45:24 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3430690jader3rd<p>So the ability to modify the task sechduling file. Do you think that that&#39;s something someone at Microsoft intentionally enabled for some backwards compatability purposes? I can invision a bug where something with Task Scheulding was broken (or undesirably difficult) because of new admin security models, so someone intentionally shimmed the scenario, by passing the credentials. </p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3430690" width="1" height="1">http://blogs.technet.com/b/markrussinovich/archive/2011/05/10/3422212.aspx#3429070Fri, 13 May 2011 16:06:02 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3429070Mark Russinovich<p>@Feet Command: virtual</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3429070" width="1" height="1">http://blogs.technet.com/b/markrussinovich/archive/2011/05/10/3422212.aspx#3429069Fri, 13 May 2011 16:05:49 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3429069Mark Russinovich<p>@RichardVJ the seminar is being simulcast for web viewing. </p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3429069" width="1" height="1">http://blogs.technet.com/b/markrussinovich/archive/2011/05/10/3422212.aspx#3429047Fri, 13 May 2011 15:09:53 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3429047Fleet Command<p>Indeed, I agree, Mark. I understand that it should have been difficult preparing this blog post, in fact more difficult than just learning it for yourself. Thank you.</p> <p>By the way, Mark, did you use an actual computer or a virtual one?</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3429047" width="1" height="1">http://blogs.technet.com/b/markrussinovich/archive/2011/05/10/3422212.aspx#3428987Fri, 13 May 2011 10:31:08 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3428987RichardVJ<p>Good work Dr Mark :)</p> <p>Mark Please host a online session for the planned seminar, We are all interested in your Zero Day Malware Cleaning with the Sysinternals Tools seminar but really difficult to travel from EU to US for it.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3428987" width="1" height="1">http://blogs.technet.com/b/markrussinovich/archive/2011/05/10/3422212.aspx#3427918Tue, 10 May 2011 19:18:26 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3427918TheJoshuaTSmith<p>Mark, thank you SO much for sharing, as usual. This series on Stuxnet, in particular, was a most interesting read, and, as per your usual style, easy to assimilate and follow.</p> <p>Again, we very much appreciate the Sysinternals tools and your personal interactivity with the tech community.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3427918" width="1" height="1">