Full Disclosure mailing list archives

RE: new trojan

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 26 Sep 2003 17:47:30 -0500

-----Original Message-----
From: Stephen Blass [mailto:Stephen.Blass () asu edu] 
Sent: Friday, September 26, 2003 4:13 PM
To: Hummer Marchand; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] new trojan

To clean it out - we remove the WMS.exe from %sysdir% (we've 
seen it on win2k and XP) and remove the install kit from 
%sysdir%\system32\nt, the Servu* files and Serv-UID from 
%sysdir%, and delete the %sysdir%\pk32 directory.  On the 
compromised machines we have found you can see WMS.exe in the 
task manager process list and the WinIP service in the 
services list. I've not seen the BUNDLER_WMS.EXE filename yet 
so maybe you have something different or perhaps this is evolution.

Did you find any files in the Recycled directory (not the Recycle Bin.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

new trojan Hummer Marchand (Sep 26)
- <Possible follow-ups>
- RE: new trojan Stephen Blass (Sep 26)
  - Re: new trojan David (Sep 26)
    - Re: new trojan Raymond Dijkxhoorn (Sep 26)
- RE: new trojan Schmehl, Paul L (Sep 26)
- RE: new trojan Stephen Blass (Sep 26)