|
Security Incidents
mailing list archives
Re: strange windows behaviour.
From: Tomasz Papszun <tomek-incid () lodz tpsa pl>
Date: Fri, 10 Oct 2003 19:49:48 +0200
On Fri, 10 Oct 2003 at 11:49:33 -0400, J Mike Rollins wrote:
The rundll32 path\to\the\trojan.dll,Uninstall does seem to remove the
entries from the registry. However, the stream is still on the system.
Something like, "echo A > C:\path\to:trojan.dll" will clobber it.
A comment on how to un-install this is in the comments of the program.
Along with a bunch of other interesting text.
I have posted the strings from the trojan on a web page:
http://www.wfu.edu/~rollins/trojan.txt
However, I am not sure that I feel safe after un-installing it this way.
If this is a backdoor program, who knows what else might have been done to
the system.
On Fri, 10 Oct 2003, Fabio Panigatti wrote:
On September 25, 2003, I posted an article "Analysis of a Spam Trojan"
to the full-disclosure and focus-virus Listservs. It details one
particular spam trojan we found at the University of Minnesota. The
full-disclosure archive can be viewed at:
http://lists.netsys.com/pipermail/full-disclosure/2003-September/010914.html
[...]
That's rigth, this is a backdoor program. Your results of 'strings'
match a sample of sznwjhf.dll, in which ClamAV [1] detects
Trojan.Coreflood.
[1] http://clamav.sourceforge.net/
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek () lodz tpsa pl http://www.lodz.tpsa.pl/ | ones and zeros.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: strange windows behaviour., (continued)
Re: strange windows behaviour. J Mike Rollins (Oct 08)
Re: strange windows behaviour. H Carvey (Oct 08)
Re: strange windows behaviour. Derek (Oct 08)
|
Intro
