Full Disclosure mailing list archives
Re: Any idea about that?
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 10 Sep 2004 04:30:21 -0700 (PDT)
I received this file through email (Yahoo) nothing was detected from Yahoo or NAV 2003. According to my understanding this is some kind of worm or irc-bot. I found this file making connections on port 6667 6660 and opening major important ports on the infected PC. Any one has seen this before?
Interesting post...almost no information at all (notice I said *almost*). You get a file and simply post it to the 'net. Didn't we just go through a whole thing about where you can got to post this sort of thing? Weren't links posted to several sites one could go to? Also, the best you were able to provide is "making connections on port 6667 6660 and opening major important ports on the infected PC." Is that it? What are these "important ports"? What about any file analysis on your own? Strings? Did you look for any embedded information, such as file version info, or evidence of the use of UPX? Since you seem to have opened and run the bot, did you happen to run something like InControl5 in order to see what changes were made to your system by this thing? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Any idea about that? Syed Imran Ali (Sep 09)
- Re: Any idea about that? James Woodcock (Sep 09)
- Re: Any idea about that? Harlan Carvey (Sep 10)
- Re: Any idea about that? James Woodcock (Sep 10)
- <Possible follow-ups>
- Re: Any idea about that? Feher Tamas (Sep 10)