Re: winhe800 trjoan

[Joel Esler <jesler () sourcefire com>]

Crusty,

We've pulled the sample and we're working on it now.

Thanks

Joel

On Aug 19, 2011, at 6:40 AM, Crusty Saint wrote:

> Hi,
>
> I've just come across a machine which has been repeatedly infected with a more or less recent Trojan recognisable by 
> the winhe800.exe filename.
>
> Little information exists and is not 100% consistent. Evidence was deleted by over zealous admin so i cannot simply 
> try and build a custom rule for this.
>
> Anyone out there having a resource or rule available for usage ? I've found reference to dropper but no usefull sig 
> in the ruleset(s). Also no usefull result in threatexpert, virustotal or others.
>
> No specific rule for winhe800.exe etc.
>
> Resources 
>
> ( only works from webcache )  
> http://webcache.googleusercontent.com/search?q=cache:HvFwmWx3I2EJ:xml.ssdsandbox.net/view/bf7b927f7e737a49cb46c25a447fa254+winhe800+url&cd=3&hl=nl&ct=clnk&gl=nl&source=www.google.nl
>
> http://home.mcafee.com/virusinfo/virusprofile.aspx?key=556848#none
> http://vil.nai.com/vil/content/v_472810.htm
>
> http://download.globalhauri.com/customer/security/virus_view.html?intSeq=2251&page=14&keyfield=&key=&SelectPart=
> http://www.hauri.co.kr/customer/security/virus_view.html?intSeq=2251&page=12&keyfield=&key=&SelectPart=1
>
>
> Best Regards,
>
> S.C.
>
> -- 
> - - -
> Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I 
> deserve a rant, write me off-list
>
> ------------------------------------------------------------------------------
> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
> user administration capabilities and model configuration. Take 
> the hassle out of deploying and managing Subversion and the 
> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!