Re: Any idea about that?

[Harlan Carvey <keydet89 () yahoo com>]

> I received this file through email (Yahoo) nothing
> was detected from Yahoo
> or NAV 2003. According to my understanding this is
> some kind of worm or
> irc-bot. I found this file making connections on
> port 6667 6660 and opening
> major important ports on the infected PC.  
>
> Any one has seen this before?

Interesting post...almost no information at all
(notice I said *almost*).  

You get a file and simply post it to the 'net.  Didn't
we just go through a whole thing about where you can
got to post this sort of thing?  Weren't links posted
to several sites one could go to?

Also, the best you were able to provide is "making
connections on port 6667 6660 and opening major
important ports on the infected PC."  Is that it? 
What are these "important ports"?  

What about any file analysis on your own?  Strings? 
Did you look for any embedded information, such as
file version info, or evidence of the use of UPX? 
Since you seem to have opened and run the bot, did you
happen to run something like InControl5 in order to
see what changes were made to your system by this thing?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html