Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: List of worm and trojan files
From: Kevin <kkadow () gmail com>
Date: Thu, 23 Dec 2004 23:03:39 -0600

Carilda A Thomas <cat () the-cat com> wrote:
I have been looking but I cannot find a list all in one
place of the various illegitimate files that various worms
and trojans install into Microsoft systems.

What'd really help here is a list of MD5 checks for "known bad"
binaries.  Obviously a custom build of sdbot or just a simple hexedit
would defeat this, but such a list would still have value against
automated attacks, etc.

Perhaps I should clarify about this list thing:  A friend
of mine is apparently running a rogue email server and a
rogue ftp server, and none of the virus checkers we have
tried will determine what program or where.  I looked for
a windows equivalent to lsof but there doesn't appear to
be one - 

Sysinternals has applications that, taken in combination, do much of
what 'lsof' does under Unix.

Specifically, tcpview
(http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you
any listening sockets, the associated process, and the location from
which the process launched.  This should suffice to locate a rogue FTP
service on a Windows PC.

the one I found can only determine the program if
it sees a packet go by and cannot find a quiescent
program.  The A/V checkers do not flag an email server,
considering it a legitimate program.  Task manager is also
destroyed, so there is no help there.  I was hoping to
find a list of illegitimate files for which I could check.

Assuming the attacker is competent, the only way to "clean" a deeply
compromised machine is to reformat the drive and start from scratch. 
The truly paranoid will question whether just formatting the drive is

Kevin Kadow
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]