[Dshield] ev1.net trojan (was yahoo.fr trojan)

WMAVT@aol.com WMAVT at aol.com
Sun Jan 18 16:29:59 GMT 2004


I found something interesting or maybe a bug it the server, If I use 
           http://www.whois.net/whois.cgi2?d=66.98.208.24
I get the below
            WHOIS information for 208.24:
[whois.melbourneit.com]

       Maybe it is coming from more than 1 site??
                        see ya Bill

========Original Message======== 
Subj:   [Dshield] ev1.net trojan (was yahoo.fr trojan)  
Date:   1/17/2004 10:18:55 AM Mountain Standard Time    
From:    jullrich at sans.org (Johannes B. Ullrich)
Sender:    list-bounces at dshield.org
Reply-to: <A HREF="mailto:list at dshield.org">list at dshield.org</A> (General DShield Discussion List)
To:    list at dshield.org
    
File:   signature.asc (196 bytes) DL Time (115200 bps): < 1 minute      
    



Looks like we got a simple, but interesting trojan on your hands. Things
are still somewhat in flux, but I will try to keep on updating the diary
accordingly:

http://isc.sans.org/diary.html?date=2004-01-16

Please send me any sample you may have.

-- 
CTO SANS Internet Storm Center    http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list


----------------------- Headers --------------------------------
Return-Path: <list-bounces at dshield.org>
Received: from  rly-ya02.mx.aol.com (rly-ya02.mail.aol.com [172.18.141.34]) 
by air-ya04.mail.aol.com (v97.18) with ESMTP id MAILINYA41-14740096e79115; Sat, 
17 Jan 2004 12:18:55 -0500
Received: from  mail.giac.net (mail1.giac.net [65.173.218.103]) by 
rly-ya02.mx.aol.com (v97.10) with ESMTP id MAILRELAYINYA27-14740096e79115; Sat, 17 Jan 
2004 12:18:49 -0500
Received: (qmail 21619 invoked from network); 17 Jan 2004 17:18:46 -0000
Received: from  (HELO dshield.com) (@)
  by 0 with SMTP; 17 Jan 2004 17:18:46 -0000
Received: from maverick12.sans.org (localhost.localdomain [127.0.0.1])
    by dshield.com (8.11.6/8.11.6) with ESMTP id i0HHIfv31538;
    Sat, 17 Jan 2004 17:18:41 GMT
Received: from mail.giac.net (iceman1 [65.173.218.103])
    by dshield.com (8.11.6/8.11.6) with SMTP id i0HH0Qv30850
    for <list at maverick12.sans.org>; Sat, 17 Jan 2004 17:00:26 GMT
Received: (qmail 10059 invoked from network); 17 Jan 2004 17:00:26 -0000
Received: from  (HELO dshield.org) (@)
    by 0 with SMTP; 17 Jan 2004 17:00:26 -0000
Old-Received: (qmail 10046 invoked from network); 17 Jan 2004 17:00:25 -0000
Old-Received: from mail.euclidian.com (68.166.125.210)
    by 0 with SMTP; 17 Jan 2004 17:00:25 -0000
Old-Received: (qmail 1170 invoked from network); 17 Jan 2004 17:00:24 -0000
Old-Received: from  (HELO bartdocked.lan) ()
    by 0 with SMTP; 17 Jan 2004 17:00:24 -0000
From: "Johannes B. Ullrich" <jullrich at sans.org>
To: list at dshield.org
Organization: SANS Institute - Internet Storm Center
Message-Id: <1074358824.7565.509.camel at bart>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.5 
Date: Sat, 17 Jan 2004 12:00:24 -0500
Old-X-Envelope-To: list at dshield.org
X-Seen-By: bob list
X-Envelope-To: UNKNOWN
X-Mailman-Approved-At: Sat, 17 Jan 2004 17:11:40 +0000
Subject: [Dshield] ev1.net trojan (was yahoo.fr trojan)
X-BeenThere: list at dshield.org
X-Mailman-Version: 2.1.3
Precedence: list
Reply-To: General DShield Discussion List <list at dshield.org>
List-Id: General DShield Discussion List <list.dshield.org>
List-Unsubscribe: <http://www.dshield.org/mailman/listinfo/list>,
    <mailto:list-request at dshield.org?subject=unsubscribe>
List-Archive: <http://www.dshield.org/pipermail/list>
List-Post: <mailto:list at dshield.org>
List-Help: <mailto:list-request at dshield.org?subject=help>
List-Subscribe: <http://www.dshield.org/mailman/listinfo/list>,
    <mailto:list-request at dshield.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1105576067=="
Sender: list-bounces at dshield.org
Errors-To: list-bounces at dshield.org
X-AOL-IP: 65.173.218.103
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0







More information about the list mailing list