Re: tcp port 8311?

[Dean Robb <pceasy () norfolk infi net>]

At 12:06 PM 5/3/00 -0700, K. Graham wrote:
> What is the name of the log file that is generated from this program?
> Where is the log file placed in the system?  Did you check to see if
> there is any residual traces of the programs in the registry? If so
> where?  Do you know the name(s) of the *.vbs you have encountered?

Only one gave me solidly useful clues:

All the traces were n.*...the * being various VisualBasic-related
extensions.  The one that gave me useful info was n.log - showed the modem
log and dialout times, etc, but not a list of what was transmitted.  The
number the modem dialed was XXX'd out; and the transmission stats showed
the 10megs.  The end user confirmed that, although he was doing some VB6
programming for a class, it wasn't his script and that no one was home at
the time the dialout occured.

Unfortunately, the system was unstable as hell and I was lucky to get this
data before it crashed completely; W98 wouldn't load at all because of
(suspected) corrupted files. Before it crashed completely (and the reason
the end user called me) was that upon W98 boot, a system error would be
displayed saying RPCSS.dll had caused a GP fault in OLE32 and then a VB
debug session would start and freeze.

The other encounter showed similar symptoms but left no clues that I could
find.

> Virus_Research () NAI com,  samples () f-secure com, and support () sophos com
> all are addresses where suspect files can be sent.  They prefer them in
> a zip format before accepting them. 

If I'd been able to get samples, I'd surely forward them.  Bet these
clients keep their McAfee updated and running from now on :).



"Microsoft is not a monopoly!" - Bill Gates   "HA!" - Judge Jackson

Dean Robb
Owner, PC-EASY 
(757) 495-EASY [3279]
On-site computer services
Member, ICANN @Large