any smart "wormer" or "trojaneer" will modify the server component by editing the source or "hexing" the file, resulting in most common viri / trojans to be rendered undetectible. The result is many common viri / malware / trojans to continue unabated. ( even subseven can be hexed to provide stealth / undetection ) a trojan that should be caught by any virus scanners. I have a collection of remote tools and you would be very supprised as to how many are not detected after simply editing the server component. Not having a AV product detect a known agent is common, as AV vendors cannot make provisions for every sleight code change. I took the time to write a small article about trojan strings / detection at http://areyoufearless.com/files/newsletters/issue1.txt Possibly some can find it usefull in how strings are used in detection / evasion. ( hint: most trojan / viri can be rendered undetectable by changing as few as one word / string in the server component ) hope this helps... Donnie Werner http://exploitlabs.com ----- Original Message ----- From: "Miguel Ibarra" <lordmike_98at_private> To: "Levinson, Karl" <LevinsonK@STARS-SMI.com>; "'Drew Weaver'" <drewat_private>; <incidentsat_private> Sent: Friday, August 08, 2003 7:38 AM Subject: Re: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it up. > I submitted the dcomx.exe file to symantec since my NAV with the lattest > update did not detected the virus in such file, neither juh.exe, and this is > what I got: > > ************************ > We have analyzed your submission. The following is a report of our > findings for each file you have submitted: > > filename: C:\dcomx.exe > machine: MIKE > result: This file is infected with Backdoor.IRC.Cirebot > ****************************************************** > ----- Original Message ----- > From: "Levinson, Karl" <LevinsonK@STARS-SMI.com> > To: "'Drew Weaver'" <drewat_private>; <incidentsat_private> > Sent: Wednesday, August 06, 2003 8:26 AM > Subject: RE: Dig in: autorooter, maybe that IRC one but SAV doesnt pick it > up. > > > > In case it is helpful, note that the DCOMX.EXE file name resembles the > name > > of the fairly new Autorooter / Cirebot / Downloader-DM / "RPC Worm" > > [F-secure nomenclature] RPC attack tool, but none of the files are > detected > > as such by either NAV or TrendMicro House Call with the latest updates > > applied. > > > > The four files in the subdirectory contain strings and file names that > lead > > one to suspect they are part of Intel Landesk [PDS.EXE, ping discovery > > service per google, and XFR.EXE, Intel file transfer utility, per google]. > > > > > > -----Original Message----- > > From: Drew Weaver [mailto:drewat_private] > > Sent: Tuesday, August 05, 2003 3:07 PM > > To: incidentsat_private > > Subject: [despammed] Dig in: autorooter, maybe that IRC one but SAV > > doesnt pick it up. > > > > > > Dig in. > > > > http://www.soul-fu.com/drew.zip > > > > I found this on a Windows 2k SP4 machine without (without) the two most > > recent and critically nessicary patches. > > > > Enjoy. > > > > -Drew > > > > > > ------------------------------------------------------------------------- - > - > > ------------------------------------------------------------------------- - > -- > > > > > > ------------------------------------------------------------------------- -- > ------------------------------------------------------------------------- --- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 10 2003 - 10:59:56 PDT