Security Incidents mailing list archives
Re: Trojan found...
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 17 Apr 2003 16:08:36 -0700 (PDT)
Les,
I say it has never executed because contained in the rar file is a .reg file that adds the trojan to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key and that key is empty.
What about the running processes on the system? If the key is empty, it may simply have not been able to write to the key. Keep in mind that the IIS web server runs as a guest on the system.
The folder that that registry entry points to does not exist either. Also contained in the rar file is a txt file that lists users and which groups to add them to, none of these users exist on the system.
Again...permissions.
If anyone has had experience with this trojan of knows where I can find info on it I would be greatful.
Sounds like you have everything available to write an analysis. Since it looks as if no one has written one yet... ;-) Harlan __________________________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- Trojan found... Les Ault (Apr 17)
- Re: Trojan found... Harlan Carvey (Apr 19)
- <Possible follow-ups>
- Re: Trojan found... Les Ault (Apr 19)
- Re: Trojan found... aladin168 (Apr 24)
- Re: Trojan found... Patrick Nolan (Apr 25)