|
Security Incidents
mailing list archives
Re: PPark (was: Win 95 Question)
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Wed, 1 Mar 2000 15:28:09 +1300
On Tue, 29 Feb 2000 12:27:01 -0800 Robert Graham
<Robert.Graham () networkice com> wrote:
BTW, if you could send me tcpdump of the session, I would really appreciate
it as well. Setting up systems to collect tracefiles is often more work
than creating the signature that detects the traffic.
I have a tcp dump of one infected machine talking to two different IRC
servers and am happy to email it to anyone who wants to study these
traces (I have already sent a copy to Robert).
I have further evidence that this is a new strain of PPark. One of the
machines infected had NAV installed with defs from 11 Feb and this did
not detect the trojan. I got the tech who was doing the clean up to
bring in the executables on a disk and when we scanned it using the
definitions downloaded yesterday NAV detected it. i.e. Symantec appear
to have added defs for this version in the last week or so.
PPark still seems to be contacting the same IRC servers many of which
appear to be defunct, i.e. they don't repsond.
Cheers, Russell.
 By Date 
By Thread
Current thread:
| 
Intro
