I played some more with the copy I got. It makes an IRC connection to lar.ath.cx and then joins #lerler using the key 'essenscheisse'. There are almost 2000 zombies in that room fwiw. I see no indications that it is a worm however. After connecting on IRC, it just sits there apparently waiting for someone to show up and give it commands. A registry entry is created to run itself at startup, but no other modifications to my test system were readily apparent (not saying there weren't any, but a casual check of filemon and regmon didn't reveal anything obviously bad). Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 10:52:45 PDT