lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: keydet89 at yahoo.com (Harlan Carvey) Subject: Re: Microsoft Update Loader msrtwd.exe > When I first posted, I didnt have the EXE. When I > did receive a copy of the file, I was told I cannot > sent it outside of the network. > > Besides, Ive been on this list long enough to know > that questions like mine are asked from time to > time. If that's really the case, you should have known what the response would be. When you first posted, you seemed to have absolutely nothing to go on, even the file itself. As Nick and others have pointed out several times, filenames are next to useless. In your original post, you said, "It's listed in the Registry as "Microsoft Update Loader"", but you couldn't say *where* in the Registry it was listed as such. Are we then to assume that you were referring to the Run key? Which hive? Better yet, if you know that it's in the Registry, why not simply state which key it's located in? >From one of your responses in the thread: > "There were about 6 Registry enties in the HKLM > section. I dont have the compromised machine, so I > cannot tell you the exact locations. > > We ran TCPview on the compromised machine and > watched it connect to an IRC server. Okay, so you didn't *have* the compromised machine when I asked the question, but at one point you and someone else were sitting at the console of that system running TCPView, and at no point could anyone export the Registry entries to a text file or even simply write down the keys. Since you eventually were able to get the .exe file itself, did you run strings on it? Check it for file version info (some IRC bots, such as the russiantopz bot, simply use mIRC32.exe as it's core)? You said you've been on the list for a while, so I guess one question to ask you is, did you do *anything* besides post to the list?
Powered by blists - more mailing lists