Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: strange windows behaviour.

From: Derek <infosec_guy2003 () yahoo com>
Date: Mon, 13 Oct 2003 15:57:44 -0700 (PDT)
Some strange stuff in the strings, like what looks like an automated
IRC script for a Russian guy to pick up women.  Hmm.

Derek


-----Original Message-----
From: J Mike Rollins [mailto:rollins () wfu edu] 
Sent: Friday, October 10, 2003 8:50 AM
To: Fabio Panigatti
Cc: incidents () securityfocus com
Subject: Re: strange windows behaviour.

The rundll32 path\to\the\trojan.dll,Uninstall does seem to remove 
the entries from the registry.  However, the stream is still on 
the system. Something like, "echo A > C:\path\to:trojan.dll"
will clobber it.

A comment on how to un-install this is in the comments of the 
program. Along with a bunch of other interesting text. I have
posted the strings from the trojan on a web page:

      http://www.wfu.edu/~rollins/trojan.txt

However, I am not sure that I feel safe after
un-installing it this way.
If this is a backdoor program, who knows what else
might have been done to the system.





__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: