The problem is that the BADTRANS trojan is quite sophisticated it doesnt use the infected machines email server but rather initiates its own smtp connection with a smtp server specified in the payload. The problem is therefore one of decompilation of the payload. I know the oroiginator of the virus what I am trying to determine is if this was a normal virus infection or a more deliberate attempt to garner information.
-----Original Message----- From: Joseph [mailto:[EMAIL PROTECTED]] Sent: 30 April 2002 13:36 To: Andrew Wordsworth; [EMAIL PROTECTED] Subject: Re: Bad Trans What options you have depends on how high your logging is set on your mail server. You can also check the header of the e-mail. Depending on your settings, you should have a line that was logged by your mail server of who the message was accepted for. Otherwise, if you have a log file, search for the information in it. ----- Original Message ----- From: "Andrew Wordsworth" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 26, 2002 8:37 AM Subject: Bad Trans > I have recieved a copy of a well known trojan BadTrans > > Being a suspicious type I am trying to find out what email address the > logged files would have been sent to. > > Does anyone know a reliable methods of doing this. > > Andrew > >
