We have discovered two mutants to the ie0199.exe trojan. In the first mutant, the targetted host was hpns.infotel.bg, rather than www.infotel.bg. It seems to look at only a handful of well known sockets. The second mutant is more malicious. It generates random IP addresses in the 212.39 and 195.138 address spaces, with socket numbers in a range of 1-199. Neither mutant touched the sndvol32.exe file. Someone really has it out for infotel.bg. [ Jim Wamsley, Network Engineering ] [ StorageTek 2270 S. 88th St, M.S. 4380, Louisville, CO 80028 ] [ Audible: (303) 673-8163 Logical jim_wamsleyat_private ] [ Sed quis custodiet ipsos custodes - Juvenal, C. 100 C.E ]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:39 PDT