Security Incidents mailing list archives

Re: Name that Trojan

From: Blake Frantz <blake () mc net>
Date: Wed, 9 Jan 2002 16:26:12 -0600 (CST)


Where was the file found?  Did you scan it with A/V?  Was it running?  If
so, does it bind to a port?

Have you looked in the usual places where applications can start up on
boot?  i.e registry, startup folder, services, boot scripts, etc.  You
might find more information in those places that can help determine what
is happening to your box. 

Also, Did you 'strings' the binary?

-Blake  

On Wed, 9 Jan 2002, Nutcase_69 wrote:

We have an application server running NT 4.0.  We found the file serv.exe on
it and I know that this could be an indication of a Trojan.  We deleteed the
file and when we rebooted, the file re-appeared.  I trying to find out if
anybody know what Trojan might display this activity?  I thaught it was
freak but that seemed old and I didn''t think that it could regenerate the
.exe  Any Answers?

Cheers,
Eric

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Name that Trojan Nutcase_69 (Jan 09)
- Re: Name that Trojan Hugo van der Kooij (Jan 09)
- Re: Name that Trojan Blake Frantz (Jan 09)
- <Possible follow-ups>
- RE: Name that Trojan Kester, Kelly (Jan 09)
- RE: Name that Trojan Michael Ward (Jan 09)