Security Incidents mailing list archives
analysis of Troj/Winser-A
From: Steve Friedl <steve () unixwiz net>
Date: Thu, 6 Jan 2005 22:18:27 -0800
Hello all, The WINS worm that is running around was identified by Sophos as "Troj/Winser-A", but I've not seen much discussion of the technical details save for talk of the SNORT rules. Lawrence Baldwin of www.MyNetWatchman.com captured this thing, and I've been taking it apart over the last few days. It comes in two parts - a standalone exploit program, plus a much larger IRC bot-type program. My work-in-progress can be found here: http://www.unixwiz.net/research/winser-a.html If others have posted better analysis, I'd love to know about it so I don't waste any more time :-) Steve -- Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561 www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve () unixwiz net
Current thread:
- analysis of Troj/Winser-A Steve Friedl (Jan 07)