[Snort-users] spy sender alerts - what is this

Jim Forster jforster at ...176...
Thu Oct 5 16:15:03 EDT 2000


This the info you needed, Jerry?

The server is hidden in a file called "client.exe.  Once executed, the
server will open port 1807 on the infected computer.
When run, it registers itself in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Jim Forster
Network Administrator
RapidNet / DakotaConnect
http://www.snort.org

----- Original Message -----
From: "Jerry Shenk" <jas at ...129...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, October 05, 2000 12:39 PM
Subject: [Snort-users] spy sender alerts - what is this


> Anybody know anything about "spy sender" - UDP port 1807.  Anything I can
> find seem like it's in the backdoor/remote control category but info is
VERY
> limited.  The Arachnids database talks about one that uses TCP and I found
a
> link at http://www.mks-vir.com.pl/trojany/spysender065b.html that seems
like
> a match but I can't speak polish very well;).
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list