Picked up a Norton alert for an infected SysReg.exe file. I think the new definitions identified a file that was laid down a few days before. The trojan is a version of stukach (http://www.glocksoft.com/trojan_list/Stukach.htm, http://www.ntsecurity.net/Panda/Index.cfm?FuseAction=Virus&VirusID=27), 49,152 bytes. I haven't yet been able to identify the payload. Intersting strings from the file: HKEY_CURRENT_USER\Software\IExplore\AID HKEY_CURRENT_USER\Software\IExplore\ID HKEY_CURRENT_USER\Software\IExplore\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysReg http://tp.searchseekfind.com/cgi-bin/TPS/Checkin.pl?ID=%s&Affid=%s&Connectio nType=%d&Version=%d open HKEY_CURRENT_USER\Software\IExplore\%s There's some coincidental time stamps and info on the infected machines that make me believe this may be in some way linked to weatherbug--possibly through one of their popups. Any correlation would be helpful. Still looking for more info. Thanks! ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 26 2003 - 09:11:39 PDT