Full Disclosure mailing list archives
Re: AMDPatchB & InstallStub
From: "Russell Kaiser" <RKaiser () gwm sc edu>
Date: Wed, 17 Sep 2003 16:35:53 -0400
Might be a variant of W32/Gaobot. This worm connects to an IRC server on TCP port 9900. Looking at the Auth/Ident response from the server it looks like an IRC server. http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.html http://vil.nai.com/vil/content/v_100611.htm Russell Kaiser Network Security Engineer Computer Services University of South Carolina
"Michael Linke" <ml () intract org> 9/17/2003 3:05:33 PM >>>
At one of our Computers with Internet Access, I found a strange program running. amdpatchB.exe(38 KB) This program is trying to get Internet Access while starting. amdpatchB.exe is connecting 63.246.134.50:9900. There is a text based protocol running on 63.246.134.50 at a service on port 9900. See Telnet output: ________________________________________________________ telnet 63.246.134.50 9900 Trying 63.246.134.50... Connected to 63.246.134.50. Escape character is '^]'. NOTICE AUTH :*** Looking up your hostname NOTICE AUTH :*** Checking Ident NOTICE AUTH :*** Found your hostname help :Drones2.newiso.org 451 * :Register first. _________________________________________________________ I used Google to look for this filename but got no result. Any ideas what this is? Regards, Michael _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: AMDPatchB & InstallStub Russell Kaiser (Sep 17)
- <Possible follow-ups>
- RE: AMDPatchB & InstallStub Noel, Marcus (Sep 17)