RE: JS.Trojan.Fav.c and JS.Trojan.Seeker.o on a system compromised with netbus

From: wim.remes (wim.remesat_private)
Date: Mon Oct 22 2001 - 05:07:11 PDT

Next message: Free, Bob: "RE: Flushing DLLs from memory"

Previous message: George M. Garner Jr.: "JS.Trojan.Fav.c and JS.Trojan.Seeker.o on a system compromised with netbus"
Maybe in reply to: George M. Garner Jr.: "JS.Trojan.Fav.c and JS.Trojan.Seeker.o on a system compromised with netbus"
Next in thread: H Carvey: "Re: JS.Trojan.Fav.c and JS.Trojan.Seeker.o on a system compromised with netbus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ok,

I am not a forensics specialist (DON'T TOUCH THAT GUN !!!) nor am
I familiar with the techniques used ... I found information about
the scripts you mentioned on the following TrendMicro URL :
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_SEEKER.O&VSect=T
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_FAV&VSect=T

The scripts have a non-destructive payload and just adds some XXX links
to the favorites in IE. Probably contracted those while surfing XXX-pages.  
I'd not be looking for a link between these scripts and the trojan,
He probably contracted NetBus through a contaminated exe that came in 
through e-mail.

Steps to take :
1. Check his IE-favorites & history (this would be interesting on the 
XXX-track)
2. Check his mailfile on messages containing .exe's
 
Cheers,

Wim
>==== Original Message From "George M. Garner Jr." <gmgarnerat_private> =====
>I am doing a forensic analysis of a Windows Millenium system on which
>netbus has been installed.  I am trying to identify the vulnerability
>that permitted netbus to be installed so that I can eradicate the
>problem (and not simply remove the netbus Trojan).  According to the
>file modification times it would appear that a web page containing
>JS.Trojan.Fav.c  was downloaded a few hours prior to netbus being
>installed.  (JS.Trojan.Seeker.o also was found on the system.)  Given
>the chronological sequence, it is tempting to hypothesize a causal
>relationship between the JS.Trojan.Fav.c trojan and the subsequent
>installation of netbus.  But I can't find a description anywhere of what
>this trojan does.  I have searched the archives at www.securityfocus.com
>and there are 0 hits.  http://groups.google.com contains a number of
>hits that list this trojan among the signatures supported by various
>vendors, but there is no analysis.  Has anyone encountered this trojan
>in a forensic investigation before and can tell me what artifacts to
>look for.
>
>Regards,
>
>George.
>
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Free, Bob: "RE: Flushing DLLs from memory"
Previous message: George M. Garner Jr.: "JS.Trojan.Fav.c and JS.Trojan.Seeker.o on a system compromised with netbus"
Maybe in reply to: George M. Garner Jr.: "JS.Trojan.Fav.c and JS.Trojan.Seeker.o on a system compromised with netbus"
Next in thread: H Carvey: "Re: JS.Trojan.Fav.c and JS.Trojan.Seeker.o on a system compromised with netbus"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 05:05:56 PDT