I am doing a forensic analysis of a Windows Millenium system on which netbus has been installed. I am trying to identify the vulnerability that permitted netbus to be installed so that I can eradicate the problem (and not simply remove the netbus Trojan). According to the file modification times it would appear that a web page containing JS.Trojan.Fav.c was downloaded a few hours prior to netbus being installed. (JS.Trojan.Seeker.o also was found on the system.) Given the chronological sequence, it is tempting to hypothesize a causal relationship between the JS.Trojan.Fav.c trojan and the subsequent installation of netbus. But I can't find a description anywhere of what this trojan does. I have searched the archives at www.securityfocus.com and there are 0 hits. http://groups.google.com contains a number of hits that list this trojan among the signatures supported by various vendors, but there is no analysis. Has anyone encountered this trojan in a forensic investigation before and can tell me what artifacts to look for. Regards, George. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 04:23:02 PDT