Re: EMAILed Trojan

[wamsljr () COLTANO STORTEK COM (Jim Wamsley 303-673-8163)]

We have discovered two mutants to the ie0199.exe trojan.

In the first mutant, the targetted host was hpns.infotel.bg, rather than
www.infotel.bg.  It seems to look at only a handful of well known sockets.

The second mutant is more malicious.  It generates random IP addresses in
the 212.39 and 195.138 address spaces, with socket numbers in a range of 1-199.

Neither mutant touched the sndvol32.exe file.

Someone really has it out for infotel.bg.

[ Jim Wamsley, Network Engineering                             ]
[ StorageTek 2270 S. 88th St, M.S. 4380, Louisville, CO 80028  ]
[ Audible:  (303) 673-8163    Logical jim_wamsley () stortek com  ]
[  Sed quis custodiet ipsos custodes - Juvenal, C. 100 C.E     ]