Re: Amlafvc.exe?Nov 17 2004 12:07AM Jon O. (jono networkcommand com)
All:
This is a variant of Spy_Bot.IQ/.EV (I can't confirm,
don't have the same file *or checksum* from Trend):
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?i
d=66514&VName=WORM_SPYBOT.IQ&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPY
BOT.EV&VSect=T
The file is UPX scrambled, so you can poke at it with strings
all you want and won't find much. The easist thing is to
dump the image from mem.
This one contains all the functions listed on the Trend
site above as well as some others. It even has support for
webcams and recording video.
As far as network traffic, it does all kinds of things, IRC,
Flooding, exploiting other systems, etc. I'll leave the rest
to Jim to summarize as he sees fit.
Thanks,
Jon
On 16-Nov-2004, Jeff Bryner wrote:
> > Ok, I have a machine that has this program running under any user
> > that logs into the machine.
> > IDEAS?
> Have you run strings against it?
> Have you captured any network traffic from the box when it's running?
> Have you run regmon, or filemon or both on the box?
>
>
>
>
> =====
> Jeff
> =====
> "Even though they let him live in their basement and wear black tee shirts, Jeff Minor is still angry with his parents."
> --mens room graffiti at conans pub 39th and hawthorne, portland, oregon
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
All:
This is a variant of Spy_Bot.IQ/.EV (I can't confirm,
don't have the same file *or checksum* from Trend):
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?i
d=66514&VName=WORM_SPYBOT.IQ&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPY
BOT.EV&VSect=T
The file is UPX scrambled, so you can poke at it with strings
all you want and won't find much. The easist thing is to
dump the image from mem.
This one contains all the functions listed on the Trend
site above as well as some others. It even has support for
webcams and recording video.
As far as network traffic, it does all kinds of things, IRC,
Flooding, exploiting other systems, etc. I'll leave the rest
to Jim to summarize as he sees fit.
Thanks,
Jon
On 16-Nov-2004, Jeff Bryner wrote:
> > Ok, I have a machine that has this program running under any user
> > that logs into the machine.
> > IDEAS?
> Have you run strings against it?
> Have you captured any network traffic from the box when it's running?
> Have you run regmon, or filemon or both on the box?
>
>
>
>
> =====
> Jeff
> =====
> "Even though they let him live in their basement and wear black tee shirts, Jeff Minor is still angry with his parents."
> --mens room graffiti at conans pub 39th and hawthorne, portland, oregon
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]