Hosting Provided By

Re: Secure.dcom.exe

From: Harlan Carvey <keydet89(at)yahoo.com>
Date: Thu Aug 07 2003 - 07:09:41 EDT

I wanted to move away from the topic of the sniffer, as it seems to be overdone...

I took a look at the executeable. It doesn't seem to have any identifying information compiled into it, and 'strings' doesn't reveal anything of interest. The exe only depends on two DLLs, and calls only a total of 4 functions...none of which have to do with networking.

Regarding what you're doing to find this malware...the ftp server and the IRC bot...what tools are you using? You mentioned netstat, but are you using any tools to list processes, map processes to open ports, etc? If you use those tools that I've listed before, you'll most of what you're looking for.

Harlan

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com

Received on Thu Aug 7 18:30:59 2003

This message: [ Message body ]
Next message: Andy Cuff [talisker]: "Re: Secure.dcom.exe"
Previous message: wirepair: "445 probes"
Maybe in reply to: Lee Evans: "Secure.dcom.exe"
Next in thread: Eric Chien: "Re: Secure.dcom.exe"
Reply: Eric Chien: "Re: Secure.dcom.exe"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:15 EDT