Re: Secure.dcom.exe

From: Harlan Carvey (keydet89at_private)
Date: Thu Aug 07 2003 - 04:09:41 PDT

Next message: Andy Cuff [talisker]: "Re: Secure.dcom.exe"

Previous message: wirepair: "445 probes"
Maybe in reply to: Lee Evans: "Secure.dcom.exe"
Next in thread: Eric Chien: "Re: Secure.dcom.exe"
Next in thread: Sorin Victor DUDEA: "Re: Secure.dcom.exe"
Reply: Eric Chien: "Re: Secure.dcom.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wanted to move away from the topic of the sniffer,
as it seems to be overdone...

I took a look at the executeable.  It doesn't seem to
have any identifying information compiled into it, and
'strings' doesn't reveal anything of interest.  The
exe only depends on two DLLs, and calls only a total
of 4 functions...none of which have to do with
networking.  

Regarding what you're doing to find this malware...the
ftp server and the IRC bot...what tools are you using?
 You mentioned netstat, but are you using any tools to
list processes, map processes to open ports, etc?  If
you use those tools that I've listed before, you'll
most of what you're looking for.

Harlan

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Andy Cuff [talisker]: "Re: Secure.dcom.exe"
Previous message: wirepair: "445 probes"
Maybe in reply to: Lee Evans: "Secure.dcom.exe"
Next in thread: Eric Chien: "Re: Secure.dcom.exe"
Next in thread: Sorin Victor DUDEA: "Re: Secure.dcom.exe"
Reply: Eric Chien: "Re: Secure.dcom.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 07 2003 - 15:30:13 PDT