Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fwd: URGENT: bot net with keylogger

From: "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>
Date: Mon, 12 Apr 2004 11:40:50 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary Flynn wrote:

This may or may not be related. We found two machines
exhibiting the described behavior and both had the
following software on them.


Gary,

That is the same.  I've identified that same location and file as the
source of the #!!edu2k4 botnet.  There is also an info.exe at that same
location the attacker "itr" is using to gather information about the
hosts after they have gained access to the machine.

Cheers,
- -Dave

- --
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
|  Lead Security Engineer, Information Technology Security Office    |
|  Office of the VP for Information Technology, Indiana University   |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAesaSBIf6jlONJjIRAp6oAJwNS0QVZfpFaujCcBEsKDjHFzKk+ACeN1Y2
TU3gq1LofdJQsF/Iy/nhMa0=
=qfos
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: