Security Incidents mailing list archives
Re: W32.Badtrans.B@mm
From: Marc Fossi <mfossi () securityfocus com>
Date: Mon, 26 Nov 2001 14:46:48 -0700 (MST)
"It drops a keyboard hooker with the KDLL.DLL name, and sends stolen info to the "uckyjw () hotmail com" e-mail address. The log info is stored in the Windows system directory with the CP_25389.NLS name." http://www.viruslist.com/eng/default.asp?tnews=12&nview=1&id=1255&page=0 (url may be wrapped) "The worm uses the default account and the default SMTP server of the local machine. This information can be found in the following registry entries:" http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS.B&VSect=T (url may be wrapped) Marc Fossi, MCSE SecurityFocus www.securityfocus.com On Mon, 26 Nov 2001, Liudvikas Bukys wrote:
I am dismayed to find that ALL of the anti-virus vendors have decided to limit their "tech details" so much that I can't find a published account of how the keyboard-logging trojan contacts the outside world. It would be helpful to know what hosts or names it connects out to, without having to wait for a "live one" to appear to before I find out. Does anybody here know? Liudvikas Bukys bukys () rochester edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- W32.Badtrans.B@mm Liudvikas Bukys (Nov 26)
- Re: W32.Badtrans.B@mm Marc Fossi (Nov 26)
- Message not available
- Re: W32.Badtrans.B@mm Brett Glass (Nov 26)
- Re: W32.Badtrans.B@mm John Sage (Nov 26)