Full Disclosure mailing list archives

AW: AMDPatchB & InstallStub

From: "Michael Linke" <ml () intract org>
Date: Wed, 17 Sep 2003 23:36:10 +0200

This infected PC is only in use to administrate some server over here using
VPN lines. Here in our Network there are no additional copies of this
program. 

But this PC has access to a corporate network via VPN and in this network I
saw this file again. It crashed in the moment I logged on via Windows
Terminal Service. But I was not able to find the program on this machine
after that. 

So it seams as it came over VPN line to our machine here.

It uses 2-4 MB of RAM, 76 Handles and 2-3 Threads.
It was configured on our machine for load on booting using registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtek 8139 fix"="amdpatchB.exe"

Regards,
Michael

_____________________

-----Ursprüngliche Nachricht-----
Von: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] Im Auftrag von Peter Kruse
Gesendet: Mittwoch, 17. September 2003 21:52
An: full-disclosure () lists netsys com
Betreff: SV: [Full-Disclosure] AMDPatchB & InstallStub

Hi,

Some kind of spyware/adware installed by the user??
Maybe a legit application??

Check: http://63.246.134.50/index.php

Would be nice with a sample, thy.

Kind regards // Med venlig hilsen

Peter Kruse
Securityconsultant / Virusanalyst
CSIS / Kruse Security ApS
http://www.krusesecurity.dk - www.csis.dk

-----Oprindelig meddelelse-----
Fra: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] På vegne af 
Michael Linke
Sendt: 17. september 2003 21:06
Til: full-disclosure () lists netsys com
Emne: [Full-Disclosure] AMDPatchB & InstallStub


At one of our Computers with Internet Access, I found a 
strange program running. 
amdpatchB.exe(38 KB)

This program is trying to get Internet Access while starting. 
amdpatchB.exe is connecting 63.246.134.50:9900. There is a 
text based protocol running on 63.246.134.50 at a service on 
port 9900. See Telnet output: 
________________________________________________________
telnet 63.246.134.50 9900
Trying 63.246.134.50...
Connected to 63.246.134.50.
Escape character is '^]'.
NOTICE AUTH :*** Looking up your hostname
NOTICE AUTH :*** Checking Ident
NOTICE AUTH :*** Found your hostname
help
:Drones2.newiso.org 451 *  :Register first.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: openssh remote exploit, (continued)
- - - Re: openssh remote exploit Blue Boar (Sep 16)
    - Re: openssh remote exploit Richard Johnson (Sep 17)
    - Re: openssh remote exploit petard (Sep 17)
    - Re: openssh remote exploit Shawn McMahon (Sep 17)
    - Re: openssh remote exploit Richard Johnson (Sep 17)
    - AMDPatchB & InstallStub Michael Linke (Sep 17)
    - Re: AMDPatchB & InstallStub phlox (Sep 17)
    - AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
    - Re: AW: AMDPatchB & InstallStub Jordan Wiens (Sep 17)
    - SV: AMDPatchB & InstallStub Peter Kruse (Sep 17)
    - AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
    - Re: AMDPatchB & InstallStub S G Masood (Sep 17)
    - Re: AMDPatchB & InstallStub Chris Ruvolo (Sep 17)
    - Re: AMDPatchB & InstallStub S G Masood (Sep 17)