Firewall Wizards mailing list archives

Re: sndvol.exe

From: Gordy Thompson <gordy () nytimes com>
Date: Fri, 19 Mar 1999 18:02:08 -0500

This thing certainly seems to be making the rounds; we had a verysimilar experience with it about a week ago.


       It's well-documented at

< http://www.stanford.edu/group/itss-ccs/security/incidentinfo/ietrojan.html >

including its signature and a link to an "uninstaller" that Stanford ITcooked up.


At 04:33 PM 3/18/99 -0800, Randy Garbrick wrote:

Has anyone noticed a Trojan horse called sndvol.exe that replaces the
Win NT/9X sndvol.exe and then does a continuous port scan from inside a
firewall to multiple outside addresses?  It created a denial of service
by maxing out the sessions on our Pix.  We're trying to locate the
source of the executable.


Randy Garbrick

Get Your Private, Free Email at http://www.hotmail.com



==========================================================================
Gordon T. Thompson                                      gordy () nytimes com
Manager, Internet Services                              212 556 1386
The New York Times                                      fax: 212 556 1636
 The Times and I have an arrangement: Neither of us speaks for the other.

Current thread:

sndvol.exe Randy Garbrick (Mar 19)
- Re: sndvol.exe 0x1c (Mar 21)
  - Re: sndvol.exe Paul M. Cardon (Mar 22)
    - Re: sndvol.exe 0x1c (Mar 23)
- Re: sndvol.exe Paul M. Cardon (Mar 21)
- Re: sndvol.exe Gordy Thompson (Mar 21)
- <Possible follow-ups>
- Re: sndvol.exe Ryan Russell (Mar 21)
- RE: sndvol.exe Frank W. Keeney (Mar 22)