RE: Increased Kuang2 activity

["James C Slora Jr" <Jim.Slora () phra com>]

Correction - troj_kuang.b is the server (trojan) component only. duh.

-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora () phra com]
Sent: Monday, February 10, 2003 15:43
To: 'Logan F.D. Greenlee'; 'H C'; 'incidents () securityfocus com'
Subject: RE: Increased Kuang2 activity


Logan F.D. Greenlee wrote Monday, February 10, 2003 13:37

> According to the information out there port 17300 is the control port
> for the Trojan. Also, the only way that this Trojan can be installed is
> via user interaction with an executable containing the virus. The virus
> is also very old, 1999. I would suspect that this is "just" an attempt
> by someone to check and see if there are any hosts out there that are
> still infected.

Kuang2 is related to a whole family of file infectors carrying backdoors - look for PE_Weird and related. I do not 
recommend
Symantec's site in this particular case - their info is pretty skimpy.

There were updated versions released in mid-2002:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_WEIRD.D
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_KUANG.B (client component only)

Some variant of PE_Weird was also circulating last year as a file infection piggybacking on Klez.(x) infected mail. 
Most of the
variants I know of are file infectors, so they could circulate pretty easily along with any PE file. There may be 
another new
version circulating, and it would still be easy for older versions to find new victims.

<<attachment: winmail.dat>>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com