[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F35CE82.4070204@topsight.net>
From: opticfiber at topsight.net (opticfiber)
Subject: [normal] RE: Re: Secure.dcom.exe
I finally got a reply back from symantec regarding the file you posted to the list, see below. Not the only change I made to the file was the extension from EXE to TXT as to prevent accidental execution.
This message is an automatically generated reply. This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries.
Please contact your Technical Support representative if more detailed information about your submission is required. Do not reply to this message.
Below is a status update on your virus submission:
Date: August 9, 2003
William Reyor
Topsight.net
Dear William Reyor,
We have analyzed your submission. The following is a report of our
findings for each file you have submitted:
filename: C:\Documents and Settings\w_r_r_optical_desktop_systems\Desktop\secure.dcom.txt
machine: TIC-UZMPKXFW5YC
result: See the developer notes
Developer notes:
C:\Documents and Settings\wreyor\Desktop\secure.dcom.txt does not appear to contain malicious code.
Our automated system has performed an extensive analysis on the file(s)
that you have submitted and found no evidence of malicious code. If you
have additional evidence to suggest that a malicious program still resides
in the file that was submitted to us, please contact Symantec Technical
Support for assistance.
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation
Should you have any questions about your submission, please contact
our regional technical support from the Symantec website
(http://www.symantec.com/techsupp/)
and give them the tracking number in the subject of this message.
--------------------------------------------
Wcc wrote:
>>opticfiber wrote:
>>
>>
>>
>>>On a chance I connected to the irc server
>>>
>>>
>>mentioned.(irc.homelien.no).
>>
>>
>>>Did a channel search for "rpc" and found a channel called
>>>
>>>
>>"#rpcfucked"
>>
>>
>>>with a contant stream of clients connecting and
>>>
>>>
>>disconnecting. Below
>>
>>
>>>is a transcript of the channel for about five minutes or so.
>>>
>>>
>
>They all appear to be on either eatel.net or arcor-ip.net's networks. This
>would lead me to believe that this worm infects via it's own network and not
>by finding random ip's.
>
>Will Buckner (Wcc)
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>
Powered by blists - more mailing lists