[Snort-users] winhe800 trjoan

Joel Esler jesler at ...1935...
Fri Aug 19 11:59:36 EDT 2011


Crusty,

We've pulled the sample and we're working on it now.

Thanks

Joel

On Aug 19, 2011, at 6:40 AM, Crusty Saint wrote:

> Hi,
> 
> I've just come across a machine which has been repeatedly infected with a more or less recent Trojan recognisable by the winhe800.exe filename.
> 
> Little information exists and is not 100% consistent. Evidence was deleted by over zealous admin so i cannot simply try and build a custom rule for this.
> 
> Anyone out there having a resource or rule available for usage ? I've found reference to dropper but no usefull sig in the ruleset(s). Also no usefull result in threatexpert, virustotal or others.
> 
> No specific rule for winhe800.exe etc.
> 
> Resources 
> 
> ( only works from webcache )  http://webcache.googleusercontent.com/search?q=cache:HvFwmWx3I2EJ:xml.ssdsandbox.net/view/bf7b927f7e737a49cb46c25a447fa254+winhe800+url&cd=3&hl=nl&ct=clnk&gl=nl&source=www.google.nl
> 
> http://home.mcafee.com/virusinfo/virusprofile.aspx?key=556848#none
> http://vil.nai.com/vil/content/v_472810.htm
> 
> http://download.globalhauri.com/customer/security/virus_view.html?intSeq=2251&page=14&keyfield=&key=&SelectPart=
> http://www.hauri.co.kr/customer/security/virus_view.html?intSeq=2251&page=12&keyfield=&key=&SelectPart=1
> 
> 
> Best Regards,
> 
> S.C.
> 
> -- 
> - - -
> Security Engineer - Tags: Analyst Systems Security Linux Firewall Network Web Troubleshooting - If you think I deserve a rant, write me off-list
> 
> ------------------------------------------------------------------------------
> Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
> user administration capabilities and model configuration. Take 
> the hassle out of deploying and managing Subversion and the 
> tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110819/af45c2bf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4795 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110819/af45c2bf/attachment.bin>


More information about the Snort-users mailing list