Penetration Testing mailing list archives

Re: [PEN-TEST] Suspect .EXE Trojan

From: Steve Goldsby <sgoldsby () INTEGRATE-U COM>
Date: Thu, 14 Dec 2000 13:36:36 -0600

you might try running ZoneAlarm.  It will popup whenever a never-before-seen
program tries to open a network connection, and ask you if you wish to
allow/disallow that connection.  This is a good way to see who's talking to
the world without your consent.  I've used it to find trojans in the past.

-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Ruso, Anthony
Sent: Thursday, December 14, 2000 12:59 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Suspect .EXE Trojan

Hi,

I have a suspect executable that I think may be a Trojan. A search on the
.exe doesn't return any result with any virus vendor. Are there any tools
that would allow me to execute the file in isolation and actually see what's
going on. The file was already executed on two workstations and it killed
Outlook in both cases. I know I can use tripwire and similar products to see
what files it makes changes to but I don't want to risk killing outlook
again.

Thanks

Anthony Ruso

Current thread:

[PEN-TEST] Suspect .EXE Trojan Ruso, Anthony (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan outcast (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Rainer Duffner (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Steve Goldsby (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Ryan Russell (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan Eric Fitzgerald (Dec 15)
  - Re: [PEN-TEST] Suspect .EXE Trojan Mike Forrester (Dec 15)
- <Possible follow-ups>
- Re: [PEN-TEST] Suspect .EXE Trojan Ken Pfeil (Dec 15)
- Re: [PEN-TEST] Suspect .EXE Trojan WernerC (Dec 15)
  - Re: [PEN-TEST] Suspect .EXE Trojan Dom De Vitto (Dec 15)
    - [PEN-TEST] Raw Disk Mounter Clem Colman (Dec 15)
    - Re: [PEN-TEST] Raw Disk Mounter Crist Clark (Dec 16)
    - Re: [PEN-TEST] Raw Disk Mounter Ryan Russell (Dec 16)
    - Re: [PEN-TEST] Raw Disk Mounter Brian Russo (Dec 16)

(Thread continues...)