analysis of Troj/Winser-A

[Steve Friedl <steve () unixwiz net>]

Hello all,

The WINS worm that is running around was identified by Sophos as
"Troj/Winser-A", but I've not seen much discussion of the technical
details save for talk of the SNORT rules.

Lawrence Baldwin of www.MyNetWatchman.com captured this thing, and I've
been taking it apart over the last few days. It comes in two parts -
a standalone exploit program, plus a much larger IRC bot-type program.

My work-in-progress can be found here:

        http://www.unixwiz.net/research/winser-a.html

If others have posted better analysis, I'd love to know about it so I
don't waste any more time :-)

Steve

-- 
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve () unixwiz net