Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: List of worm and trojan files
From: Sam Gentle <dywypi () gmail com>
Date: Fri, 24 Dec 2004 19:09:42 +1000

Perhaps I should clarify about this list thing: A friend of mine is apparently running a rogue email server and a rogue ftp server, and none of the virus checkers we have tried will determine what program or where. I looked for a windows equivalent to lsof but there doesn't appear to be one - the one I found can only determine the program if it sees a packet go by and cannot find a quiescent program. The A/V checkers do not flag an email server, considering it a legitimate program. Task manager is also destroyed, so there is no help there. I was hoping to find a list of illegitimate files for which I could check.

Thanks to those who sent advice and assistance.



In your case I would definitely advise having a look at a couple of Sysinternals tools. Specifically, "Process Explorer" allows you to display open sockets for a process, and "TCPView" will list all open (and listening) sockets and their associated processes. I assume you're talking about an NT-based system here, as under 9x/ME these tools are regretfully castrated by the lack of appropriate OS features.

Oh, and you may want to check out another utility, also from Sysinternals, called "autoruns", which can give you a list of non-system programs in starting locations, including BHOs and shell extensions. (Though I'd actually recommend NirSoft's ShellExView for the latter if you plan to do any serious messing around.)

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]