Name: Xtreme
Ports: 1090
Files: Xtreme.exe - 316,878 bytes
Actions: Remote Access / Keylogger / Trojan dropper
 Installs NetBus 2.1 Pro in the background.
Notes: Password: www.multimania.com/cdc.

Backdoor.Bla.Trojan
The Backdoor.BlaTrojan allows unauthorized access to your computer. It tries
to mask the infection by displaying a program interface that is actually the
interface of the backdoor client program.

Quick search didn't turn up anything on nim or nimreg in English.

Yes, you've got trouble. Where's your anti-virus?

-----Original Message-----
From: Katherine Ogden [mailto:kogden4cd.net]
Sent: Wednesday, January 09, 2002 11:21 AM
To: focus-mssecurityfocus.com
Subject: Think I've got trouble

We began having trouble with our exchange server.
For no reason we could pin down the OWA would
throw up an error and stop the www service. Being
the slightly paranoid sort I downloaded Retina and ran
it against the email server. It showed the usual things
but it also showed
Port 1058 - Nim
Port 1090 - Xtreme

Two other exchange servers show these ports open.
Port 1042 - Bla
Port 1059 - Nimreg

Two questions. Does anybody know what these
are? And am I right in assuming that these machines
have been compromised and will need to be rebuilt?

Thank you for the help.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]