Re: strange windows behaviour.

[Tomasz Papszun <tomek-incid () lodz tpsa pl>]

On Fri, 10 Oct 2003 at 11:49:33 -0400, J Mike Rollins wrote:
> The rundll32 path\to\the\trojan.dll,Uninstall does seem to remove the
> entries from the registry.  However, the stream is still on the system.
> Something like, "echo A > C:\path\to:trojan.dll" will clobber it.
>
> A comment on how to un-install this is in the comments of the program.
> Along with a bunch of other interesting text.
> I have posted the strings from the trojan on a web page:
>
>       http://www.wfu.edu/~rollins/trojan.txt
>
> However, I am not sure that I feel safe after un-installing it this way.
> If this is a backdoor program, who knows what else might have been done to
> the system.
>
> On Fri, 10 Oct 2003, Fabio Panigatti wrote:
>
> > > On September 25, 2003, I posted an article "Analysis of a Spam Trojan"
> > > to the full-disclosure and focus-virus Listservs. It details one
> > > particular spam trojan we found at the University of Minnesota. The
> > > full-disclosure archive can be viewed at:
> > > http://lists.netsys.com/pipermail/full-disclosure/2003-September/010914.html
[...]

That's rigth, this is a backdoor program. Your results of 'strings'
match a sample of sznwjhf.dll, in which ClamAV [1] detects
Trojan.Coreflood.

[1] http://clamav.sourceforge.net/

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 tomek () lodz tpsa pl   http://www.lodz.tpsa.pl/   | ones and zeros.

---------------------------------------------------------------------------
----------------------------------------------------------------------------