Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

analysis of Troj/Winser-A
From: Steve Friedl <steve () unixwiz net>
Date: Thu, 6 Jan 2005 22:18:27 -0800
Hello all,

The WINS worm that is running around was identified by Sophos as
"Troj/Winser-A", but I've not seen much discussion of the technical
details save for talk of the SNORT rules.

Lawrence Baldwin of www.MyNetWatchman.com captured this thing, and I've
been taking it apart over the last few days. It comes in two parts -
a standalone exploit program, plus a much larger IRC bot-type program.

My work-in-progress can be found here:

        http://www.unixwiz.net/research/winser-a.html

If others have posted better analysis, I'd love to know about it so I
don't waste any more time :-)

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve () unixwiz net

  By Date           By Thread  

Current thread:
  • analysis of Troj/Winser-A Steve Friedl (Jan 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]