Re: [normal] RE: [Full-Disclosure] Re: Secure.dcom.exe

[opticfiber]

I finally got a reply back from symantec regarding the file you posted to the list, see below. Not the only change I made to the file was the extension from EXE to TXT as to prevent accidental execution.



This message is an automatically generated reply.  This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries. 
Please contact your Technical Support representative if more detailed information about your submission is required.  Do not reply to this message.

Below is a status update on your virus submission:

Date: August 9, 2003

William Reyor
Topsight.net
  

Dear William Reyor,

We have analyzed your submission.  The following is a report of our
findings for each file you have submitted:
filename: C:\Documents and Settings\w_r_r_optical_desktop_systems\Desktop\secure.dcom.txt
machine: TIC-UZMPKXFW5YC
result: See the developer notes 

Developer notes:
C:\Documents and Settings\wreyor\Desktop\secure.dcom.txt does not appear to contain malicious code. 

Our automated system has performed an extensive analysis on the file(s)
that you have submitted and found no evidence of malicious code. If you
have additional evidence to suggest that a malicious program still resides
in the file that was submitted to us, please contact Symantec Technical
Support for assistance.
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation
Should you have any questions about your submission, please contact 
our regional technical support from the Symantec website
(http://www.symantec.com/techsupp/) 
and give them the tracking number in the subject of this message.



--------------------------------------------

Wcc wrote:

opticfiber wrote:

   

On a chance I connected to the irc server 
     

mentioned.(irc.homelien.no). 
   

Did a channel search for "rpc" and found a channel called 
     

"#rpcfucked" 
   

with a contant stream of clients connecting and 
     

disconnecting. Below 
   

is a transcript of the channel for about five minutes or so.
     

They all appear to be on either eatel.net or arcor-ip.net's networks. This
would lead me to believe that this worm infects via it's own network and not
by finding random ip's.
Will Buckner (Wcc)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 





---------------------------------------------------------------------------
----------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html