Full Disclosure mailing list archives
Re: List of worm and trojan files
From: Kevin <kkadow () gmail com>
Date: Thu, 23 Dec 2004 23:03:39 -0600
Carilda A Thomas <cat () the-cat com> wrote:
I have been looking but I cannot find a list all in one place of the various illegitimate files that various worms and trojans install into Microsoft systems.
What'd really help here is a list of MD5 checks for "known bad" binaries. Obviously a custom build of sdbot or just a simple hexedit would defeat this, but such a list would still have value against automated attacks, etc.
Perhaps I should clarify about this list thing: A friend of mine is apparently running a rogue email server and a rogue ftp server, and none of the virus checkers we have tried will determine what program or where. I looked for a windows equivalent to lsof but there doesn't appear to be one -
Sysinternals has applications that, taken in combination, do much of what 'lsof' does under Unix. Specifically, tcpview (http://www.sysinternals.com/ntw2k/source/tcpview.shtml) will show you any listening sockets, the associated process, and the location from which the process launched. This should suffice to locate a rogue FTP service on a Windows PC. the one I found can only determine the program if
it sees a packet go by and cannot find a quiescent program. The A/V checkers do not flag an email server, considering it a legitimate program. Task manager is also destroyed, so there is no help there. I was hoping to find a list of illegitimate files for which I could check.
Assuming the attacker is competent, the only way to "clean" a deeply compromised machine is to reformat the drive and start from scratch. The truly paranoid will question whether just formatting the drive is sufficient. Kevin Kadow _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- List of worm and trojan files Carilda A Thomas (Dec 22)
- Re: List of worm and trojan files Matt McCormack (Dec 22)
- <Possible follow-ups>
- Re: List of worm and trojan files Carilda A Thomas (Dec 23)
- Re: List of worm and trojan files Barrie Dempster (Dec 24)
- Re: List of worm and trojan files Kevin (Dec 24)
- Re: List of worm and trojan files GuidoZ (Dec 28)
- RE: List of worm and trojan files ALD, Aditya, Aditya Lalit Deshmukh (Dec 24)
- Re: List of worm and trojan files Sam Gentle (Dec 24)
- RE: List of worm and trojan files Todd Towles (Dec 29)