Re: EMAILed Trojan

From: Jim Wamsley 303-673-8163 (wamsljrat_private)
Date: Thu Feb 18 1999 - 15:28:01 PST

Next message: Robert Thomas: "Re: Netscape Communicator window spoofing bug"

Previous message: Curt Sampson: "Re: traceroute as a flooder"
Next in thread: veni markovski: "Re: EMAILed Trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We have discovered two mutants to the ie0199.exe trojan.

In the first mutant, the targetted host was hpns.infotel.bg, rather than
www.infotel.bg.  It seems to look at only a handful of well known sockets.

The second mutant is more malicious.  It generates random IP addresses in
the 212.39 and 195.138 address spaces, with socket numbers in a range of 1-199.

Neither mutant touched the sndvol32.exe file.

Someone really has it out for infotel.bg.

[ Jim Wamsley, Network Engineering                             ]
[ StorageTek 2270 S. 88th St, M.S. 4380, Louisville, CO 80028  ]
[ Audible:  (303) 673-8163    Logical jim_wamsleyat_private  ]
[  Sed quis custodiet ipsos custodes - Juvenal, C. 100 C.E     ]

Next message: Robert Thomas: "Re: Netscape Communicator window spoofing bug"
Previous message: Curt Sampson: "Re: traceroute as a flooder"
Next in thread: veni markovski: "Re: EMAILed Trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:39 PDT