Re: "Bla 1.1 Trojan"

[Thierry <thierry () PURGE-IT COM>]

David Bailey wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> These are what I found on it. I did not dig any further into the
> sites (the second one was in French) but hopefully they should be a
> good start.
> http://perso.respublica.fr/kankan/bla.htm
> http://perso.respublica.fr/kankan/bla11.htm
>
> ==============================
> Are You Secure?
> Would You Bet On It?
> ==============================
> David A. Bailey
> Information Systems Technician
> (United States Navy Retired)
> ==============================
>
> - -----Original Message-----
> From:   LOS Ralph [SMTP:rlos () ENVESTNET COM]
> Sent:   Friday, November 03, 2000 10:21 AM
> To:     INCIDENTS () SECURITYFOCUS COM
> Subject:        [INCIDENTS] "Bla 1.1 Trojan"
>
> I just did a portscan of one of my mail servers and came up with port
> 1042
> open with the port labeled as "Bla 1.1 Trojan".  ANY clue what this
> is?  I
> can't find anything on this one on any security sites (maybe my
> search is
> flawed?)

This downladsite you are referencing (see lower right link) is part of
TLSecurity.
Pay Attention ! The client for BLA is backdoored (trojaned) itself, it
sends of your cached passes to an free mail account.


> Can someone give me a clue?
>
> Ralph M. Los
> Internet Systems & Security Admin.          (312) 827-3945 (direct)
> EnvestNet Advisory Corp.                          (312) 296-9003
> (wireless)
>
> rlos () envestnet com
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOgRbWLDT5E54atwQEQJYKQCeKC2CQFgrq1kjm8hu6pnN+Hcg30IAoM0o
> t7NpRZy0hGXgGIDTkpx3gmD0
> =qtAK
> -----END PGP SIGNATURE-----