|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: strange windows behaviour.
From: Tomasz Papszun (tomek-incid
lodz.tpsa.pl)
Date: Fri Oct 10 2003 - 12:49:48 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 10 Oct 2003 at 11:49:33 -0400, J Mike Rollins wrote:
>
> The rundll32 path\to\the\trojan.dll,Uninstall does seem to remove the
> entries from the registry. However, the stream is still on the system.
> Something like, "echo A > C:\path\to:trojan.dll" will clobber it.
>
> A comment on how to un-install this is in the comments of the program.
> Along with a bunch of other interesting text.
> I have posted the strings from the trojan on a web page:
>
> http://www.wfu.edu/~rollins/trojan.txt
>
> However, I am not sure that I feel safe after un-installing it this way.
> If this is a backdoor program, who knows what else might have been done to
> the system.
>
> On Fri, 10 Oct 2003, Fabio Panigatti wrote:
>
> > > On September 25, 2003, I posted an article "Analysis of a Spam Trojan"
> > > to the full-disclosure and focus-virus Listservs. It details one
> > > particular spam trojan we found at the University of Minnesota. The
> > > full-disclosure archive can be viewed at:
> > > http://lists.netsys.com/pipermail/full-disclosure/2003-September/010914.html
> >
[...]
That's rigth, this is a backdoor program. Your results of 'strings'
match a sample of sznwjhf.dll, in which ClamAV [1] detects
Trojan.Coreflood.
[1] http://clamav.sourceforge.net/
--
Tomasz Papszun SysAdm TP S.A. Lodz, Poland | And it's only
tomeklodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]