Okay, we've got some details from a quick glance at one of the infected machines. There's a directory: \Program Files\Common Files\msadc which has 4 files in it: root.exe, TFTP129, TFTP68, TFTP192. The last three look like they might be some sort of registry key. Going to the machine's website and looking for http://>/msadc/TFTP68 should download the file. -Larry --- E. Larry Lidz Phone: (773)702-2208 Sr. Network Security Officer Fax: (773)702-0559 Network Security Center, The University of Chicago PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:19:29 PDT