Full Disclosure mailing list archives
AW: AMDPatchB & InstallStub
From: "Michael Linke" <ml () intract org>
Date: Wed, 17 Sep 2003 23:36:10 +0200
This infected PC is only in use to administrate some server over here using VPN lines. Here in our Network there are no additional copies of this program. But this PC has access to a corporate network via VPN and in this network I saw this file again. It crashed in the moment I logged on via Windows Terminal Service. But I was not able to find the program on this machine after that. So it seams as it came over VPN line to our machine here. It uses 2-4 MB of RAM, 76 Handles and 2-3 Threads. It was configured on our machine for load on booting using registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Realtek 8139 fix"="amdpatchB.exe" Regards, Michael _____________________ -----Ursprüngliche Nachricht----- Von: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] Im Auftrag von Peter Kruse Gesendet: Mittwoch, 17. September 2003 21:52 An: full-disclosure () lists netsys com Betreff: SV: [Full-Disclosure] AMDPatchB & InstallStub Hi, Some kind of spyware/adware installed by the user?? Maybe a legit application?? Check: http://63.246.134.50/index.php Would be nice with a sample, thy. Kind regards // Med venlig hilsen Peter Kruse Securityconsultant / Virusanalyst CSIS / Kruse Security ApS http://www.krusesecurity.dk - www.csis.dk
-----Oprindelig meddelelse----- Fra: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] På vegne af Michael Linke Sendt: 17. september 2003 21:06 Til: full-disclosure () lists netsys com Emne: [Full-Disclosure] AMDPatchB & InstallStub At one of our Computers with Internet Access, I found a strange program running. amdpatchB.exe(38 KB) This program is trying to get Internet Access while starting. amdpatchB.exe is connecting 63.246.134.50:9900. There is a text based protocol running on 63.246.134.50 at a service on port 9900. See Telnet output: ________________________________________________________ telnet 63.246.134.50 9900 Trying 63.246.134.50... Connected to 63.246.134.50. Escape character is '^]'. NOTICE AUTH :*** Looking up your hostname NOTICE AUTH :*** Checking Ident NOTICE AUTH :*** Found your hostname help :Drones2.newiso.org 451 * :Register first.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: openssh remote exploit, (continued)
- Re: openssh remote exploit Blue Boar (Sep 16)
- Re: openssh remote exploit Richard Johnson (Sep 17)
- Re: openssh remote exploit petard (Sep 17)
- Re: openssh remote exploit Shawn McMahon (Sep 17)
- Re: openssh remote exploit Richard Johnson (Sep 17)
- AMDPatchB & InstallStub Michael Linke (Sep 17)
- Re: AMDPatchB & InstallStub phlox (Sep 17)
- AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
- Re: AW: AMDPatchB & InstallStub Jordan Wiens (Sep 17)
- SV: AMDPatchB & InstallStub Peter Kruse (Sep 17)
- AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
- Re: AMDPatchB & InstallStub S G Masood (Sep 17)
- Re: AMDPatchB & InstallStub Chris Ruvolo (Sep 17)
- Re: AMDPatchB & InstallStub S G Masood (Sep 17)