lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F35CE82.4070204@topsight.net>
From: opticfiber at topsight.net (opticfiber)
Subject: [normal] RE: Re: Secure.dcom.exe

I finally got a reply back from symantec regarding the file you posted to the list, see below. Not the only change I made to the file was the extension from EXE to TXT as to prevent accidental execution.



This message is an automatically generated reply.  This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries. 
Please contact your Technical Support representative if more detailed information about your submission is required.  Do not reply to this message.

Below is a status update on your virus submission:

Date: August 9, 2003

William Reyor
Topsight.net
   


Dear William Reyor,

We have analyzed your submission.  The following is a report of our
findings for each file you have submitted:

filename: C:\Documents and Settings\w_r_r_optical_desktop_systems\Desktop\secure.dcom.txt
machine: TIC-UZMPKXFW5YC
result: See the developer notes 

Developer notes:
C:\Documents and Settings\wreyor\Desktop\secure.dcom.txt does not appear to contain malicious code. 


Our automated system has performed an extensive analysis on the file(s)
that you have submitted and found no evidence of malicious code. If you
have additional evidence to suggest that a malicious program still resides
in the file that was submitted to us, please contact Symantec Technical
Support for assistance.
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation

Should you have any questions about your submission, please contact 
our regional technical support from the Symantec website
(http://www.symantec.com/techsupp/) 
and give them the tracking number in the subject of this message.



--------------------------------------------


Wcc wrote:

>>opticfiber wrote:
>>
>>    
>>
>>>On a chance I connected to the irc server 
>>>      
>>>
>>mentioned.(irc.homelien.no). 
>>    
>>
>>>Did a channel search for "rpc" and found a channel called 
>>>      
>>>
>>"#rpcfucked" 
>>    
>>
>>>with a contant stream of clients connecting and 
>>>      
>>>
>>disconnecting. Below 
>>    
>>
>>>is a transcript of the channel for about five minutes or so.
>>>      
>>>
>
>They all appear to be on either eatel.net or arcor-ip.net's networks. This
>would lead me to believe that this worm infects via it's own network and not
>by finding random ip's.
>
>Will Buckner (Wcc)
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>  
>




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ