lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
From: pauls at utdallas.edu (Schmehl, Paul L) Subject: new trojan > -----Original Message----- > From: Stephen Blass [mailto:Stephen.Blass@....edu] > Sent: Friday, September 26, 2003 4:13 PM > To: Hummer Marchand; full-disclosure@...ts.netsys.com > Subject: RE: [Full-Disclosure] new trojan > > To clean it out - we remove the WMS.exe from %sysdir% (we've > seen it on win2k and XP) and remove the install kit from > %sysdir%\system32\nt, the Servu* files and Serv-UID from > %sysdir%, and delete the %sysdir%\pk32 directory. On the > compromised machines we have found you can see WMS.exe in the > task manager process list and the WinIP service in the > services list. I've not seen the BUNDLER_WMS.EXE filename yet > so maybe you have something different or perhaps this is evolution. > Did you find any files in the Recycled directory (not the Recycle Bin.) Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
Powered by blists - more mailing lists