Re: Name that Trojan

From: Blake Frantz (blakeat_private)
Date: Wed Jan 09 2002 - 14:26:12 PST

  • Next message: Andrew Blevins: "RE: Think I've got trouble"

    Where was the file found?  Did you scan it with A/V?  Was it running?  If
    so, does it bind to a port?
    
    Have you looked in the usual places where applications can start up on
    boot?  i.e registry, startup folder, services, boot scripts, etc.  You
    might find more information in those places that can help determine what
    is happening to your box. 
    
    Also, Did you 'strings' the binary?
    
    -Blake  
    
    On Wed, 9 Jan 2002, Nutcase_69 wrote:
    
    > We have an application server running NT 4.0.  We found the file serv.exe on
    > it and I know that this could be an indication of a Trojan.  We deleteed the
    > file and when we rebooted, the file re-appeared.  I trying to find out if
    > anybody know what Trojan might display this activity?  I thaught it was
    > freak but that seemed old and I didn''t think that it could regenerate the
    > .exe  Any Answers?
    > 
    > Cheers,
    > Eric
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > 
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:06:13 PST