> > We did find an entry in his registry with the following setting: > > > > /microsoft/windowsexplorer/doc/find/spec/mru > > a) " " > > b) 5845 > > c) nfo > > d) bo > > e) nfo.zip > > f) winrar > > g) msvbvm60.dll > > h) loadwc > > i) stargate > > j) area51 > > mrulist) eadcbjihgf Actually, this is the Most Recently Used files entry. A-J = the last files to be searched for using Find File, or Opened, or Saved - and the mrulist specifies the order in which they were used. This is how the history box in Find File works, and others. mIRC IRC Client 5.4 and above have the ability to create raw sockets - you can use the IRC client to open port 25 and check your mail, for instance, or to connect to any other port on a server, including port 80 - most likely this "trojan" is a line in a script that runs a timer which connects to the web site, sends HTTP commands, then kills the socket; every X number of seconds. I doubt this is sophisticated enough to modify the registry or otherwise change system behaviour. However, I'm not sure exactly what you could possibly do to prevent such an attack from occurring. -- Paralyse -=(webmasterat_private)=- -=>-<=- Systems Technician, ICS Computers -=>-<=- if test ! "$clothed"="no" then touch woman | strip woman | make love | sleep; fi
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:37 PDT