Correction - troj_kuang.b is the server (trojan) component only. duh. -----Original Message----- From: James C Slora Jr [mailto:Jim.Sloraat_private] Sent: Monday, February 10, 2003 15:43 To: 'Logan F.D. Greenlee'; 'H C'; 'incidentsat_private' Subject: RE: Increased Kuang2 activity Logan F.D. Greenlee wrote Monday, February 10, 2003 13:37 > According to the information out there port 17300 is the control port > for the Trojan. Also, the only way that this Trojan can be installed is > via user interaction with an executable containing the virus. The virus > is also very old, 1999. I would suspect that this is "just" an attempt > by someone to check and see if there are any hosts out there that are > still infected. Kuang2 is related to a whole family of file infectors carrying backdoors - look for PE_Weird and related. I do not recommend Symantec's site in this particular case - their info is pretty skimpy. There were updated versions released in mid-2002: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_WEIRD.D http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_KUANG.B (client component only) Some variant of PE_Weird was also circulating last year as a file infection piggybacking on Klez.(x) infected mail. Most of the variants I know of are file infectors, so they could circulate pretty easily along with any PE file. There may be another new version circulating, and it would still be easy for older versions to find new victims.
This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 15:58:11 PST