"It drops a keyboard hooker with the KDLL.DLL name, and sends stolen info to the "uckyjwat_private" e-mail address. The log info is stored in the Windows system directory with the CP_25389.NLS name." http://www.viruslist.com/eng/default.asp?tnews=12&nview=1&id=1255&page=0 (url may be wrapped) "The worm uses the default account and the default SMTP server of the local machine. This information can be found in the following registry entries:" http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=WORM_BADTRANS.B&VSect=T (url may be wrapped) Marc Fossi, MCSE SecurityFocus www.securityfocus.com On Mon, 26 Nov 2001, Liudvikas Bukys wrote: > I am dismayed to find that ALL of the anti-virus vendors have decided to > limit their "tech details" so much that I can't find a published account > of how the keyboard-logging trojan contacts the outside world. It would > be helpful to know what hosts or names it connects out to, without having to > wait for a "live one" to appear to before I find out. > > Does anybody here know? > > Liudvikas Bukys > bukysat_private > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 13:49:15 PST