[9714] in bugtraq
Re: EMAILed Trojan
daemon@ATHENA.MIT.EDU (veni markovski)
Sun Feb 21 23:27:31 1999
Date: Sun, 21 Feb 1999 10:59:26 +0200
Reply-To: veni markovski <veni@veni.com>
From: veni markovski <veni@VENI.COM>
X-To: Jim Wamsley 303-673-8163 <wamsljr@COLTANO.STORTEK.COM>
To: BUGTRAQ@NETSPACE.ORG
The mutant was distributed among end-users, and some of them even installed
it.
The cause for writing it is the decree of the Bulgarian Committee for Post
and telecommunications to license ISPs. More details about it can be seen at
http://www.isoc.bg/kpd/ (there's an English version, too).
I already said publicly here, that such a "reaction" is causing problems to
Infotel, but not to the people who created the decree.
regards,
Veni Markovski,
Chairmain, the Internet Society - Bulgaria,
http://www.isoc.bg, http://www.bol.bg/isoc/
phone: (+359-2) 9809666, phone/fax (+359-2) 9806431
mailing address: p.o.box 71, Sofia 1164, Bulgaria
>We have discovered two mutants to the ie0199.exe trojan.
>
>In the first mutant, the targetted host was hpns.infotel.bg, rather than
>www.infotel.bg. It seems to look at only a handful of well known sockets.
>
>The second mutant is more malicious. It generates random IP addresses in
>the 212.39 and 195.138 address spaces, with socket numbers in a range of
1-199.
>
>Neither mutant touched the sndvol32.exe file.
>
>Someone really has it out for infotel.bg.
>
>[ Jim Wamsley, Network Engineering ]
>[ StorageTek 2270 S. 88th St, M.S. 4380, Louisville, CO 80028 ]
>[ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com ]
>[ Sed quis custodiet ipsos custodes - Juvenal, C. 100 C.E ]
