From: Gregg N 

Geo wrote:
> "Gregg N"  wrote in message
> news:43bb56da{at}w3.nls.net...
>
>
>
>> I looked at the link you provided and I didn't see anything there about
>> a file running with elevated privilege after a reboot. System restore
>> would restore the file where it was before, running as it did before,
>> not in a new place with new privilege.
>>
>
> I only had a few more minutes to search but here's another one that
> describes the reboot technique.
>
> http://vil.nai.com/vil/content/v_130607.htm
>
> I'll see if I can find something else tonight that is an example of
> replacing a system file to get elevated permissions.
>
> Geo.
>
>
>

I'm not sure the above describes replacing a system file. It looks like it
is merely setting itself to start up with the current user's permissions.

Obviously if there were  a vulnerability that allows a trojan to run as
system or administrator (not the current WMF one, by the way), then who you
are logged in as does not matter. However, if you always run with
administrative privilege, the malware doe not have to wait for such a
vulnerability; it can walk right in. You don't even need any vulnerability.
Just pose as a useful program that you run (really the definition of
"trojan"), and the next thing you know you have a root kit
installed.

Gregg

--- BBBS/NT v4.01 Flag-5