Full Disclosure mailing list archives
RE: new trojan
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 26 Sep 2003 17:47:30 -0500
-----Original Message----- From: Stephen Blass [mailto:Stephen.Blass () asu edu] Sent: Friday, September 26, 2003 4:13 PM To: Hummer Marchand; full-disclosure () lists netsys com Subject: RE: [Full-disclosure] new trojan To clean it out - we remove the WMS.exe from %sysdir% (we've seen it on win2k and XP) and remove the install kit from %sysdir%\system32\nt, the Servu* files and Serv-UID from %sysdir%, and delete the %sysdir%\pk32 directory. On the compromised machines we have found you can see WMS.exe in the task manager process list and the WinIP service in the services list. I've not seen the BUNDLER_WMS.EXE filename yet so maybe you have something different or perhaps this is evolution.
Did you find any files in the Recycled directory (not the Recycle Bin.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- new trojan Hummer Marchand (Sep 26)
- <Possible follow-ups>
- RE: new trojan Stephen Blass (Sep 26)
- Re: new trojan David (Sep 26)
- Re: new trojan Raymond Dijkxhoorn (Sep 26)
- Re: new trojan David (Sep 26)
- RE: new trojan Schmehl, Paul L (Sep 26)
- RE: new trojan Stephen Blass (Sep 26)