We found msmsgs.exe and another file tricklerid-1_trickler_4010.exe on a apparently compromised host. The host was relaying mail through 18541/tcp which is the port msmsgs.exe was listening on (thanks fport). I looked all over for somone with a similiar attack. I'm thinking "bad guys" may using Microsoft Messenger like IRC to control hosts? I sent msmsgs.exe into Symantec, no help there, message below. Anyone seen something like this or familiar with what program would be "msmsgs.exe /passportlogon /delaysync /shortpackets" ---- The file submitted contains no malicious code. It is used to access a pornographic service. It is safe to delete this file. This file, while not malicious, is performing actions on your machine without your knowledge. We recommend you delete this file. __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 08:04:40 PDT