I've seen a lot here on it being an email attachment, I've found such DDoS Zombie programs more likely to be executed on workstations by auto-decryption of binary NewsGroup postings than any other method. The .binaries channels are loaded with them in all kinds of flavors and varieties, usually a 55k .exe, but I've seen .com and some macro/script variants as well. The newsgroup versions are usually a small exe which contacts a server and downloads/installs the trojan in the background. Usually in either \windows or \windows\system. Almost all of them are kiddie modified versions of cBot, and since "cBot" appears in 90% of the trojan exe's in clear text, it's not a big deal to scan for and delete them. Although Symantec hasn't seemed to realize that yet, quite a few of them waltz right past their AV software. ZoneAlarm has yet to miss one that I've seen, either the small preload or the full trojan. Not much I can do with the nets I administer to prevent access to the most offending groups (binaries.erotica.xyz), as the nets *need* NG access and I haven't found a way to prevent access to any groups other than the approved ones short of setting up a private news server. Roy Wilson <Emperor_Wilsonat_private> <WINS#6> Numismatist? <www.winsociety.ws> PGP Key available from certserver.pgp.com or pgpkeys.mit.edu Caesar si viveret, ad remum dareris
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 17:21:19 PDT