lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri May  6 18:12:19 2005
From: michael.holstein at csuohio.edu (Michael Holstein)
Subject: wintcpmod.exe Hear of it?

Probably a <flavor_of_the_month>bot variant. Run it by Norman's sandbox 
and see what shakes out.

http://sandbox.norman.no/live_4.html

Try to Un-[upx|rar|zip] it first .. Norman's website dosen't handle 
programs that are compressed multiple times so well (and bot-kiddies 
like to do just that to hide them/frustrate us).

Also .. check standard spots in the registry to see if it's set to run 
on startup (HKLM/Software/Microsoft/Windows/CurrentVersion/Run and 
RunServices).

As mentioned in another post, http://www.virustotal.com is another good 
spot to run it through.

Seeing the same file in those two places is fairly common bot behavior 
.. they want to ensure they get it at least one place that's in the $PATH.

If all else fails, a VMware guest (with Ethereal on the host O/S) is 
your friend.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State Univeristy

Dan Bambach wrote:
> I noticed today that a program wintcpmod.exe, located in two places on 
> my hard drive, windows\system and windows\system32 was attempting to 
> access port 53. My firewall blocked it and sent an alert. I am on the 
> road, so I have not had time to fully investigate this yet, but a Google 
> search produced very little about this program. It sets a registry key 
> for local machine ?run?, and can be seen on the process screen. It does 
> not appear in the services list. I was able to kill it, but in my Google 
> search, someone has claimed that they were unable to kill the process. I 
> am running WinXP SPk2 fully patched, and Symantec AntiVirus, 
> ZoneAlarmPro. Microsoft AntiSpyware does not report anything.
> 
>  
> 
> Has anyone else seen this program?
> 
>  
> 
> Dan Bambach
> 
> Dan@...mbach.net <mailto:Dan@...mbach.net>
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ