Re: Remote Shell Trojan: Threat, Origin and the Solution

From: Patrick Andry (pandry@wolverinefreight.ca)
Date: 09/10/01


Message-ID: <3B9CFAA0.2060409@wolverinefreight.ca>
Date: Mon, 10 Sep 2001 13:38:40 -0400
From: Patrick Andry <pandry@wolverinefreight.ca>
To: bugtraq@securityfocus.com
Subject: Re: Remote Shell Trojan: Threat, Origin and the Solution

Kevin Gagel wrote:

>Has any expert c programers examined the c code to see if it actually
>does what the remarks say?
>I am suspicious of anything that is posted anonymously no matter how
>well it's documented. I
>don't know C well enough to tell if the documentation is accurately
>portraying what the code is
>really doing.
>
>If it's not then this a one very well crafted "socially engineered"
>virus...
>
The best I can tell, it isn't reading in any weird strings. The most it
looks like it's doing is removing parts of the file in 4k chunks.
Can anyone else verify this?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com