Security Incidents mailing list archives
Trojan found...
From: Les Ault <aultl () comcast net>
Date: Tue, 15 Apr 2003 19:24:49 -0500
Whilst patching my webserver this morning I found the following files in the root directory of my webserver. Has anyone seen this trojan before? I have done some googling and checked the securityfocus website with no luck. It appears to use the unicode IIS exploit. I only got hit because I just re-installed IIS yesterday :), needless to say the trojan did not execute as I have done some very basic checking and no registry keys have been created and the folder the trojan installed to was never created. I found it approximately 30 minutes after it was downloaded, according to the file time stamp. C:\test.scr C:\tests.scr C:\tesst.scr C:\sysnet32.exe All of the .scr files are FTP command files, i.e. contain a ftp server address , username, password, and command to download a file. I have the downloaded file, (sysnet32.exe), but it was never executed. It is a self-extracting rar file. I say it has never executed because contained in the rar file is a .reg file that adds the trojan to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key and that key is empty. The folder that that registry entry points to does not exist either. Also contained in the rar file is a txt file that lists users and which groups to add them to, none of these users exist on the system. Server is currently running fully patched Win2k Advanced Server with IIS 5.0 (patched now...). If anyone has had experience with this trojan of knows where I can find info on it I would be greatful. Les Ault aultl () comcast net 2003-04-15 ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- Trojan found... Les Ault (Apr 17)
- Re: Trojan found... Harlan Carvey (Apr 19)
- <Possible follow-ups>
- Re: Trojan found... Les Ault (Apr 19)
- Re: Trojan found... aladin168 (Apr 24)
- Re: Trojan found... Patrick Nolan (Apr 25)