('binary' encoding is not supported, stored as-is) In-Reply-To: <20030221115716.30417.qmailat_private> Hello, In the previous thread about this subject, I posted a list of files that were placed on a 'hacked' Windows 2000 computer in our network. Among these files were a wingate engine (mspx-smss.exe), a watchdog program to restart a service (mspx-sw.exe) and a very sophisticated 'stealth' program (mspxss.exe) that can hide processes and hide files in NTFS disks. The main purpose of these files is to create a proxy server that can be used by hackers for DDOS attacks or to obscure their original IP-address. I got a lot of reactions about these files. McAfee/Network Associates have named it: Backdoor-AQM and it will be included in their DAT-file: 4251. Kaspersky labs have sent me an analysis of the mspxss.exe file. They will include it also in their next update. I would thank all who helped me to get this mystery solved. For those who are also eager to analyse these files themselves, I've compiled some information and placed them on a web-page: A quick report I wrote (not quite plain HTML, because I used MS-Word): http://members.chello.nl/s.pechler/Backdoor_stealth_proxy_server.htm The files can be found in the following ZIP-file (password=infected): http://members.chello.nl/s.pechler/mspx-smss-trojan.zip Regards, Sven Pechler University of Technlogy Eindhoven Faculty of Technology Management ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 08:26:12 PST