Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Virus Behavior / GDIScan Questions

Published: 2004-09-29
Last Updated: 2004-09-29 23:58:34 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
New virus behavior

Our fellow handler Patrick Nolan sent this news about the Surila.k virus. According to the VirusList.com website "In order to gain full access to the Internet, Surila registers itself in the Windows FirewallPolicy, thereby becoming a legal program with full Internet rights."


This will bypass any Firewall settings that may otherwise block the virus from
contacting the IRC server is connects to for remote control. The virus installs
an HTTP and SMTP proxy server. Traffic to these proxies will be permitted by the
modified firewall rules.
GDIScan questions

We are still receiving some questions about Tom Liston´s tool GDIScan.
In yesterday´s diary, Donald Smith included a good link with a FAQ for the tool ( http://www.bleepingcomputer.com/forums/topict3077.html ). One interesting question is about the tool in Windows 98.

Donald Smith answer explains it well:


"...it means the application was designed to run on win2k and higher.
I have successfully run it on an old 98 machine. The reporting was a
little messed up because my 98 system didn't render the ansi sequences
correctly BUT it did find vulnerable dlls. The report just wasn't in
red/black and had ansi sequences in the text."

-------------------------------------------------------------------

Handler on Duty: Pedro Bueno ( pbueno /AT/ isc.sans.org)

If you are at SANS Network Security 2004 in Las Vegas, send a hello to our lucky Handlers there! (ps. ask them to send some postcard to the handlers over here...(like a brazilian one...)

Keywords:
0 comment(s)
Diary Archives