Security Incidents mailing list archives

Win 95 - The answer

From: emaiwald () FRED NET (Eric Miawald)
Date: Wed, 23 Feb 2000 16:01:50 -0500


Thanks to all who provided suggestions.  It ended up being Pretty Park.

Just a few points - it was found because the security admin at the
site was able to see an infection in real time.

Norton noticed the original executable in the email but DID NOT pick
it up after installation.

Some info about it that is not on the Norton Site:

-Most traffic goes to the following sites:
193.55.113.134  zafira.eurecom.fr
206.252.192.20  irc.stealth.net
207.152.95.10   mist.cifnet.com

-Other traffic (without payloads) go to these sites:
193.104.34.37  irc1.emn.fr
194.158.96.24  desormais.utilisez.ircnet.grolier.net
194.158.96.47  ircnet.grolier.net
195.101.196.14 irc.twiny.net
195.238.2.19   krameria.skybel.net
195.40.6.1     banana.irc.easynet.net
204.247.0.124  irc.ncal.verio.net

Eric

---------------------------------------------------------------------
Eric Maiwald                                        emaiwald () fred net
So Many Hobbies, So little time
---------------------------------------------------------------------

Current thread:

Re: Win 95 Question- Sounds like a butplug for orifice Dave Pavone (Feb 23)
- Win 95 - The answer Eric Miawald (Feb 23)