I wanted to move away from the topic of the sniffer, as it seems to be overdone... I took a look at the executeable. It doesn't seem to have any identifying information compiled into it, and 'strings' doesn't reveal anything of interest. The exe only depends on two DLLs, and calls only a total of 4 functions...none of which have to do with networking. Regarding what you're doing to find this malware...the ftp server and the IRC bot...what tools are you using? You mentioned netstat, but are you using any tools to list processes, map processes to open ports, etc? If you use those tools that I've listed before, you'll most of what you're looking for. Harlan __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 07 2003 - 15:30:13 PDT