Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: strange windows behaviour.
From: Derek <infosec_guy2003 () yahoo com>
Date: Mon, 13 Oct 2003 15:57:44 -0700 (PDT)
Some strange stuff in the strings, like what looks like an automated
IRC script for a Russian guy to pick up women.  Hmm.

Derek


-----Original Message-----
From: J Mike Rollins [mailto:rollins () wfu edu] 
Sent: Friday, October 10, 2003 8:50 AM
To: Fabio Panigatti
Cc: incidents () securityfocus com
Subject: Re: strange windows behaviour.

The rundll32 path\to\the\trojan.dll,Uninstall does seem to remove 
the entries from the registry.  However, the stream is still on 
the system. Something like, "echo A > C:\path\to:trojan.dll"
will clobber it.

A comment on how to un-install this is in the comments of the 
program. Along with a bunch of other interesting text. I have
posted the strings from the trojan on a web page:

      http://www.wfu.edu/~rollins/trojan.txt

However, I am not sure that I feel safe after
un-installing it this way.
If this is a backdoor program, who knows what else
might have been done to the system.





__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]