From: Harlan Carvey (keydet89yahoo.com)
Date: Thu Apr 17 2003 - 18:08:36 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Les,

> I say it has never executed because contained
> in the rar file is a .reg file that adds the trojan
> to the
> HKLM\Software\Microsoft\Windows\CurrentVersion\Run
> key and that key is empty.

What about the running processes on the system? If
the key is empty, it may simply have not been able to
write to the key. Keep in mind that the IIS web
server runs as a guest on the system.

> The folder that that registry entry points to does
> not exist either. Also contained in the rar file is
> a txt file that lists users and which groups to add
> them to, none of these users exist on the system.

Again...permissions.

> If anyone has had experience with this trojan of
> knows where I can find info on it I would be
> greatful.

Sounds like you have everything available to write an
analysis. Since it looks as if no one has written one
yet... ;-)

Harlan

__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]