Re: New Trojan

[Damian Gerow <damian () sentex net>]

An update...

Part of our dealing with spamming customers is to move them into a smaller
IP block for their DSL connection, that denies inbound TCP SYN packets.
Well, earlier this morning, one of our special ip-pool customers was caught
spamming.  He most definitely didn't do it himself, and he is infected with
this trojan.  I'm trying to figure out if the two (this mornings spam
attempt and the trojan) are related, or if perhaps he's infected with some
remote control IRC trojan as well.

I also just completed a UDP port scan of the infect host, which was
completely useless.  My screen buffer only goes back so far, but every port
from 64367 and up is marked as 'open'.  :(

  - Damian

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------