Hosting Provided By

Stukach Trojaned SysReg.exe

From: Information Security <InformationSecurity(at)federatedinv.com>
Date: Fri May 23 2003 - 16:48:06 EDT

Picked up a Norton alert for an infected SysReg.exe file. I think the new definitions identified a file that was laid down a few days before. The trojan is a version of stukach
(http://www.glocksoft.com/trojan_list/Stukach.htm, http://www.ntsecurity.net/Panda/Index.cfm?FuseAction=Virus&VirusID=27), 49,152 bytes. I haven't yet been able to identify the payload. Intersting strings from the file:

HKEY_CURRENT_USER\Software\IExplore\AID
HKEY_CURRENT_USER\Software\IExplore\ID
HKEY_CURRENT_USER\Software\IExplore\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysReg

http://tp.searchseekfind.com/cgi-bin/TPS/Checkin.pl?ID=%s&Affid=%s&Connectio nType=%d&Version=%d
open
HKEY_CURRENT_USER\Software\IExplore\%s

There's some coincidental time stamps and info on the infected machines that make me believe this may be in some way linked to weatherbug--possibly through one of their popups.

Any correlation would be helpful. Still looking for more info.

Thanks!

Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents

Received on Mon May 26 12:20:56 2003

This message: [ Message body ]
Next message: terry white: "is this new ..."
Previous message: Chip Mefford: "Re: A question for the list..."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:06 EDT