[9679] in bugtraq
Re: EMAILed Trojan
daemon@ATHENA.MIT.EDU (Jim Wamsley 303-673-8163)
Fri Feb 19 20:25:28 1999
Date: Thu, 18 Feb 1999 16:28:01 -0700
Reply-To: Jim Wamsley 303-673-8163 <wamsljr@COLTANO.STORTEK.COM>
From: Jim Wamsley 303-673-8163 <wamsljr@COLTANO.STORTEK.COM>
X-To: ntbugtraq@listserv.ntbugtraq.com
To: BUGTRAQ@NETSPACE.ORG
We have discovered two mutants to the ie0199.exe trojan.
In the first mutant, the targetted host was hpns.infotel.bg, rather than
www.infotel.bg. It seems to look at only a handful of well known sockets.
The second mutant is more malicious. It generates random IP addresses in
the 212.39 and 195.138 address spaces, with socket numbers in a range of 1-199.
Neither mutant touched the sndvol32.exe file.
Someone really has it out for infotel.bg.
[ Jim Wamsley, Network Engineering ]
[ StorageTek 2270 S. 88th St, M.S. 4380, Louisville, CO 80028 ]
[ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ]
[ Sed quis custodiet ipsos custodes - Juvenal, C. 100 C.E ]
