Re: Suspicious JOE.EXE

From: Roy Wilson (rwilson9at_private)
Date: Sun Aug 05 2001 - 15:42:01 PDT

  • Next message: Geo.: "Code red II crashes cisco 678"

    	I've seen a lot here on it being an email attachment, I've
    found such DDoS Zombie programs more likely to be executed on
    workstations by auto-decryption of binary NewsGroup postings than any
    other method.  The .binaries channels are loaded with them in all kinds
    of flavors and varieties, usually a 55k .exe, but I've seen .com and
    some macro/script variants as well.
    
    	The newsgroup versions are usually a small exe which contacts a
    server and downloads/installs the trojan in the background.  Usually in
    either \windows or \windows\system.
    
    	Almost all of them are kiddie modified versions of cBot, and
    since "cBot" appears in 90% of the trojan exe's in clear text, it's not
    a big deal to scan for and delete them.  Although Symantec hasn't
    seemed to realize that yet, quite a few of them waltz right past their
    AV software.  ZoneAlarm has yet to miss one that I've seen, either the
    small preload or the full trojan.
    
    	Not much I can do with the nets I administer to prevent access
    to the most offending groups (binaries.erotica.xyz), as the nets *need*
    NG access and I haven't found a way to prevent access to any groups
    other than the approved ones short of setting up a private news server.
    
    
    
    
    
    Roy Wilson  <Emperor_Wilsonat_private> <WINS#6>
    
    Numismatist?  <www.winsociety.ws>
    PGP Key available from certserver.pgp.com or pgpkeys.mit.edu
    Caesar si viveret, ad remum dareris
    



    This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 17:21:19 PDT