-
September 27th, 2002, 11:31 AM
#1
Flabooble!
Which trojan?
OK, I did something stupid. I DLed and ran a file that installed a trojan (I'm pretty sure).
I run Win 2000 on this machine.
A file named wincfg.exe tries to send to 199.44.44.199 on port 6667 - over and over and over and over and.... About every 15 seconds.
I have run AVG - found nothing. Ran Trojan Cleaner - found nothing - it did find a trojan in the original file (I'll post it's name tonight when I get home - like sdon or something) and I deleted it.
My firewall is blocking the trojan from communicating right now and I can not ping, scan or tracert to 199.44.44.199. There is a servername but I can't remember it right now - again, will post later (something.something.wu).
I have looked it up and several trojans send over the 6667 port but none seems to use wincfg.exe. The trojan that uses wincfg.exe is "Matrix" but it uses port 1269.
My question - have I discovered a new trojan and should delete wincfg.exe and any associated registry entriies or is wincfg.exe a legitimate program?
-
September 27th, 2002, 11:44 AM
#2
Registered User
You got yerself a bug.
Check out:
http://www.hackfix.org/miscfix/matrix.shtml
OR
http://www.titan.co.nz/clint/page58.html
I would just clean it out than risk any potential damage. It's some sort of variation, it seems.
Vote DrewmazTech for President!
"tis better to remain silent and be thought of as a fool then open your mouth and remove all doubt" Mark Twain
-
September 27th, 2002, 11:50 AM
#3
Driver Terrier
Port 6667 is a standard irc port... I get no dns name for that IP, but I suggest its reporting to a chatroom bot.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
September 27th, 2002, 11:53 AM
#4
Registered User
-
September 27th, 2002, 12:00 PM
#5
Flabooble!
These are all close but they all use ports different than 6667. Well, it's prolly a variant so I'm gonna remove the registry entries and delete the file (It's not present on other 2000 machines - I was able to look at a few others now that I'm at work).
If anyone finds the exact trojan - let me know because i couldn't find it.
Thanks guys!
-
September 27th, 2002, 01:04 PM
#6
Registered User
-
September 28th, 2002, 01:20 AM
#7
Flabooble!
I deleted it, killed the regestry entry and it ain't bootin' or hammerin' my firewall any more.
-
September 28th, 2002, 03:22 PM
#8
Driver Terrier
Just for the sake of interest, while tracking down a few port questions in chat today I found this list of trojans sorted by the port they use
Hope someone finds it useful.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
September 29th, 2002, 01:10 AM
#9
Flabooble!
It's a nice list. I still don't see my trojan. Poopy.
-
September 29th, 2002, 10:31 AM
#10
Registered User
Well, the only one on my list that wasn't on NooNOo's was a function of the PrettyPark virus..but remember..ports are default only and can be changed..so you probably had a variant of a subseven or something..did you ever submit it? It may be new
-
September 30th, 2002, 01:30 AM
#11
On the subject of trojans, I've been using a free scanner program called "Swat-it" for a few months now. Not sure how good it is, but it seems to do the job (found a couple I had on my system).
http://lockdowncorp.com/bots/downloadswatit.html
Danyll
If we live in an insane world, how can I be normal if I'm sane?
"I'm reminded of the immortal words of Socrates who said-'I drank what?'"-Val Kilmer (Real Genius)
-
September 30th, 2002, 03:37 AM
#12
Driver Terrier
I have been chasing I.Qaaz around my 9x boxes (its the one that changes notepad.exe) Darn thing is a like a cartoon chest of draws - close it off in one an it pops up in another - grrrr, interestingly AVG says its there, housecall online doesn't find it.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
September 30th, 2002, 03:20 PM
#13
Flabooble!
Originally posted by geoscomp
Well, the only one on my list that wasn't on NooNOo's was a function of the PrettyPark virus..but remember..ports are default only and can be changed..so you probably had a variant of a subseven or something..did you ever submit it? It may be new
I think it is new and is a variant of Mandrake Matrix. 2 trojan scanners and AVG fail to find it.
Haven't tried Swat It yet but I will. Thanks!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks