lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040910113021.26734.qmail@web51502.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: Any idea about that?

> I received this file through email (Yahoo) nothing
> was detected from Yahoo
> or NAV 2003. According to my understanding this is
> some kind of worm or
> irc-bot. I found this file making connections on
> port 6667 6660 and opening
> major important ports on the infected PC.  
> 
> Any one has seen this before?

Interesting post...almost no information at all
(notice I said *almost*).  

You get a file and simply post it to the 'net.  Didn't
we just go through a whole thing about where you can
got to post this sort of thing?  Weren't links posted
to several sites one could go to?

Also, the best you were able to provide is "making
connections on port 6667 6660 and opening major
important ports on the infected PC."  Is that it? 
What are these "important ports"?  

What about any file analysis on your own?  Strings? 
Did you look for any embedded information, such as
file version info, or evidence of the use of UPX? 
Since you seem to have opened and run the bot, did you
happen to run something like InControl5 in order to
see what changes were made to your system by this thing?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ