> -----Original Message----- > From: Stephen Blass [mailto:[EMAIL PROTECTED] > Sent: Friday, September 26, 2003 4:13 PM > To: Hummer Marchand; [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] new trojan > > To clean it out - we remove the WMS.exe from %sysdir% (we've > seen it on win2k and XP) and remove the install kit from > %sysdir%\system32\nt, the Servu* files and Serv-UID from > %sysdir%, and delete the %sysdir%\pk32 directory. On the > compromised machines we have found you can see WMS.exe in the > task manager process list and the WinIP service in the > services list. I've not seen the BUNDLER_WMS.EXE filename yet > so maybe you have something different or perhaps this is evolution. > Did you find any files in the Recycled directory (not the Recycle Bin.)
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
