Ok, I am not a forensics specialist (DON'T TOUCH THAT GUN !!!) nor am I familiar with the techniques used ... I found information about the scripts you mentioned on the following TrendMicro URL : http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_SEEKER.O&VSect=T http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_FAV&VSect=T The scripts have a non-destructive payload and just adds some XXX links to the favorites in IE. Probably contracted those while surfing XXX-pages. I'd not be looking for a link between these scripts and the trojan, He probably contracted NetBus through a contaminated exe that came in through e-mail. Steps to take : 1. Check his IE-favorites & history (this would be interesting on the XXX-track) 2. Check his mailfile on messages containing .exe's Cheers, Wim >==== Original Message From "George M. Garner Jr." <gmgarnerat_private> ===== >I am doing a forensic analysis of a Windows Millenium system on which >netbus has been installed. I am trying to identify the vulnerability >that permitted netbus to be installed so that I can eradicate the >problem (and not simply remove the netbus Trojan). According to the >file modification times it would appear that a web page containing >JS.Trojan.Fav.c was downloaded a few hours prior to netbus being >installed. (JS.Trojan.Seeker.o also was found on the system.) Given >the chronological sequence, it is tempting to hypothesize a causal >relationship between the JS.Trojan.Fav.c trojan and the subsequent >installation of netbus. But I can't find a description anywhere of what >this trojan does. I have searched the archives at www.securityfocus.com >and there are 0 hits. http://groups.google.com contains a number of >hits that list this trojan among the signatures supported by various >vendors, but there is no analysis. Has anyone encountered this trojan >in a forensic investigation before and can tell me what artifacts to >look for. > >Regards, > >George. > > >----------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 05:05:56 PDT