[Intrusions] Need help to identify a trojan
Tom Liston
tliston at premmag.com
Sat Jul 10 18:01:37 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Maxime-
The lsassvc.exe file is identified by Kasperski as Backdoor.Delf.oy
While I wasn't able to find any information on this particular variant,
here are some links to information on the Backdoor.Delf strain.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.delf.html
http://www.pestpatrol.com/pestinfo/b/backdoor_delf.asp
http://vil.nai.com/vil/content/v_99535.htm
- -TL
SANS Internet Storm Center Malware Analysis Team
On 9 Jul 2004 at 9:34, Maxime Ducharme wrote:
- ---- >8 ---- Snip!
> The lsassvc.exe is still on angelfire's web server, and I mirrored it
> here :
> http://www.cybergeneration.com/security/2004.07.08/lsassvc.ex_
>
> This file is bound to TCP port 753, and a connection on this
> port output this :
> 220 jsdaus Microsoft FTP Service (Version 5.0)
>
> Looks like a "special" FTP service. The program answers my "USER"
> and "PASS" commands :
> > USER test
> < 331 Password required for test.
> > PASS test
> < 530 Login incorrect.
>
> It is also bound on a service name "Local Security Authority Service
> System".
>
> Norton says this file is not infected, but it looks really suspicious, we
> already shut down the server for analysis. It has been used for scanning.
>
> Other hack tools have been found under C:\RECYCLER\speedy.
>
> I'd like to know which kind of trojan it is, and if it has self-propagating
> behavior like some Ago-Gaobot.
-----BEGIN PGP SIGNATURE-----
Version: idw's PGP-Frontend 4.9.6.4 / 6-2004 + PGP 8.1.0
Comment: http://www.hackbusters.net/pgp.txt (FCEB5E7400758B031E4A2948)
iQA/AwUBQPAvB6Oq/X4cwCZKEQL+3wCfdiY9Sb1sOhul/qAxVMeS2QMkFh4An2Cu
lCvkmiMh39xwMyBchgJ5U62K
=w8JN
-----END PGP SIGNATURE-----
More information about the Intrusions
mailing list