| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <sf688d92.079@gwm.sc.ed> From: RKaiser at gwm.sc.edu (Russell Kaiser) Subject: AMDPatchB & InstallStub Might be a variant of W32/Gaobot. This worm connects to an IRC server on TCP port 9900. Looking at the Auth/Ident response from the server it looks like an IRC server. http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.html http://vil.nai.com/vil/content/v_100611.htm Russell Kaiser Network Security Engineer Computer Services University of South Carolina >>> "Michael Linke" <ml@...ract.org> 9/17/2003 3:05:33 PM >>> At one of our Computers with Internet Access, I found a strange program running. amdpatchB.exe(38 KB) This program is trying to get Internet Access while starting. amdpatchB.exe is connecting 63.246.134.50:9900. There is a text based protocol running on 63.246.134.50 at a service on port 9900. See Telnet output: ________________________________________________________ telnet 63.246.134.50 9900 Trying 63.246.134.50... Connected to 63.246.134.50. Escape character is '^]'. NOTICE AUTH :*** Looking up your hostname NOTICE AUTH :*** Checking Ident NOTICE AUTH :*** Found your hostname help :Drones2.newiso.org 451 * :Register first. _________________________________________________________ I used Google to look for this filename but got no result. Any ideas what this is? Regards, Michael
Powered by blists - more mailing lists