Security Incidents mailing list archives
Re: Name that Trojan
From: Blake Frantz <blake () mc net>
Date: Wed, 9 Jan 2002 16:26:12 -0600 (CST)
Where was the file found? Did you scan it with A/V? Was it running? If so, does it bind to a port? Have you looked in the usual places where applications can start up on boot? i.e registry, startup folder, services, boot scripts, etc. You might find more information in those places that can help determine what is happening to your box. Also, Did you 'strings' the binary? -Blake On Wed, 9 Jan 2002, Nutcase_69 wrote:
We have an application server running NT 4.0. We found the file serv.exe on it and I know that this could be an indication of a Trojan. We deleteed the file and when we rebooted, the file re-appeared. I trying to find out if anybody know what Trojan might display this activity? I thaught it was freak but that seemed old and I didn''t think that it could regenerate the .exe Any Answers? Cheers, Eric ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Name that Trojan Nutcase_69 (Jan 09)
- Re: Name that Trojan Hugo van der Kooij (Jan 09)
- Re: Name that Trojan Blake Frantz (Jan 09)
- <Possible follow-ups>
- RE: Name that Trojan Kester, Kelly (Jan 09)
- RE: Name that Trojan Michael Ward (Jan 09)