I finally got a reply back from symantec regarding the file you posted to the list, see below. Not the only change I made to the file was the extension from EXE to TXT as to prevent accidental execution. This message is an automatically generated reply. This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries. Please contact your Technical Support representative if more detailed information about your submission is required. Do not reply to this message. Below is a status update on your virus submission: Date: August 9, 2003 William Reyor Topsight.net Dear William Reyor, We have analyzed your submission. The following is a report of our findings for each file you have submitted: filename: C:\Documents and Settings\w_r_r_optical_desktop_systems\Desktop\secure.dcom.txt machine: TIC-UZMPKXFW5YC result: See the developer notes Developer notes: C:\Documents and Settings\wreyor\Desktop\secure.dcom.txt does not appear to contain malicious code. Our automated system has performed an extensive analysis on the file(s) that you have submitted and found no evidence of malicious code. If you have additional evidence to suggest that a malicious program still resides in the file that was submitted to us, please contact Symantec Technical Support for assistance. ---------------------------------------------------------------------- This message was generated by Symantec Security Response automation Should you have any questions about your submission, please contact our regional technical support from the Symantec website (http://www.symantec.com/techsupp/) and give them the tracking number in the subject of this message. -------------------------------------------- Wcc wrote: >>opticfiber wrote: >> >> >> >>>On a chance I connected to the irc server >>> >>> >>mentioned.(irc.homelien.no). >> >> >>>Did a channel search for "rpc" and found a channel called >>> >>> >>"#rpcfucked" >> >> >>>with a contant stream of clients connecting and >>> >>> >>disconnecting. Below >> >> >>>is a transcript of the channel for about five minutes or so. >>> >>> > >They all appear to be on either eatel.net or arcor-ip.net's networks. This >would lead me to believe that this worm infects via it's own network and not >by finding random ip's. > >Will Buckner (Wcc) > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sun Aug 10 2003 - 11:08:38 PDT