Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up.

From: Miguel Ibarra (lordmike_98at_private)
Date: Fri Aug 08 2003 - 07:38:20 PDT

Next message: opticfiber: "Re: [normal] RE: [Full-Disclosure] Re: Secure.dcom.exe"

Previous message: Eric Hines: "Re: Secure.dcom.exe"
In reply to: Levinson, Karl: "RE: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Next in thread: morning_wood: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Next in thread: Christine Kronberg: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Reply: morning_wood: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I submitted the dcomx.exe file to symantec since my NAV with the lattest
update did not detected the virus in such file, neither juh.exe, and this is
what I got:

************************
We have analyzed your submission.  The following is a report of our
findings for each file you have submitted:

filename: C:\dcomx.exe
machine: MIKE
result: This file is infected with Backdoor.IRC.Cirebot
******************************************************
----- Original Message ----- 
From: "Levinson, Karl" <LevinsonK@STARS-SMI.com>
To: "'Drew Weaver'" <drewat_private>; <incidentsat_private>
Sent: Wednesday, August 06, 2003 8:26 AM
Subject: RE: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it
up.


> In case it is helpful, note that the DCOMX.EXE file name resembles the
name
> of the fairly new Autorooter / Cirebot / Downloader-DM / "RPC Worm"
> [F-secure nomenclature] RPC attack tool, but none of the files are
detected
> as such by either NAV or TrendMicro House Call with the latest updates
> applied.
>
> The four files in the subdirectory contain strings and file names that
lead
> one to suspect they are part of Intel Landesk [PDS.EXE, ping discovery
> service per google, and XFR.EXE, Intel file transfer utility, per google].
>
>
> -----Original Message-----
> From: Drew Weaver [mailto:drewat_private]
> Sent: Tuesday, August 05, 2003 3:07 PM
> To: incidentsat_private
> Subject: [despammed] Dig in: autorooter, maybe that IRC one but SAV
> doesnt pick it up.
>
>
> Dig in.
>
> http://www.soul-fu.com/drew.zip
>
> I found this on a Windows 2k SP4 machine without (without) the two most
> recent and critically nessicary patches.
>
> Enjoy.
>
> -Drew
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: opticfiber: "Re: [normal] RE: [Full-Disclosure] Re: Secure.dcom.exe"
Previous message: Eric Hines: "Re: Secure.dcom.exe"
In reply to: Levinson, Karl: "RE: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Next in thread: morning_wood: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Next in thread: Christine Kronberg: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Reply: morning_wood: "Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 16:19:10 PDT