[Intrusions] Need help to identify a trojan

[Dana Webber]

have you tried Adaware from  www.lavasoftusa.com? it's free

On Saturday 10 July 2004 17:24, Axel Pettinger wrote:
> Maxime Ducharme wrote:
> > Hi to the list,
> >     one of our customer's servers have been compromised and I'd
> > need help to identify trojan used.
>
> [snip]
>
> > This file is bound to TCP port 753, and a connection on this
> > port output this :
> > 220 jsdaus Microsoft FTP Service (Version 5.0)
>
> [snip]
>
> > Norton says this file is not infected,
>
> That's correct as - strictly speaking - it isn't "infected" ... ;-)
>
> > but it looks really suspicious,
>
> Unpack the file using UPX and then have a look at it with something
> like Notepad.
>
> > we already shut down the server for analysis. It has been used for
> > scanning.
> >
> > Other hack tools have been found under C:\RECYCLER\speedy.
> >
> > I'd like to know which kind of trojan it is, and if it has
> > self-propagating behavior like some Ago-Gaobot.
>
> I don't know that for sure but I really doubt it.
>
> McAfee identifies the file (MD5: ffdbe99a3e614650d93b310a34273d4e) as
> "application SimpelFTP" - note that it doesn't report it as a trojan,
> only as a "potentially unwanted application". This sounds certainly a
> little bit strange because other av scanners identify it as a backdoor
> trojan variant named "Delf" and the file itself contains the string
> "Simpel IRC BOT".
>
> There seem to be several variants of that "Simpel" program, because the
> one mentioned in the VGrep virus data base obviously cannot be the one
> you found:
> http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=SimpelFTP&product=8
>
> Regards,
> Axel Pettinger
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions

-- 
Dana Webber
dana at dunrobin.dyn.dhs.org
http://dunrobin.dyn.dhs.org

Getting a computer system to work is like banging your head against a brick 
wall until the wall falls down.