Re: OT : Please Help Security Guys ! (Backdoor issue)

IMHO, I would just rebuild if you can. Trying to correct corrupted executables is sometimes not worth the trouble.

On Apr 26, 2010, at 3:19 PM, Edouard Zorrilla wrote:

> Hi,
>
> I got with the issue, explorer.exe was sending information to Turkey and Denmark using https. Do you know how to see if the explorer.exe has been cracked ?. Maybe I can edit with a binary tool.,
>
> Thanks
>
> ----- Original Message ----- From: "Andrey Tarasov" <andyvt_at_gmail.com>
> To: <Charles.Henson_at_regions.com>
> Cc: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>; <ccielab_at_groupstudy.com>; <nobody_at_groupstudy.com>; <security_at_groupstudy.com>
> Sent: Monday, April 26, 2010 10:07 AM
> Subject: Re: OT : Please Help Security Guys ! (Backdoor issue)
>
>
>> Hi Edouard,
>>
>> "netstat -ab" is your friend.
>>
>> Regards,
>> Andrey.
>>
>>> Hi,
>>>
>>> Here we are facing a issue with a backdoor that use https to send
>>> information
>>> from machines to the internnet (Turkey and Denmark- 78.189.194.126,
>>> 93.160.202.224 ). The issue is that we have clean this machines with all
>>> antivirus we know, but machines keep sending https traffic and we do not
>>> know
>>> how to get with the applicantion (backdoor) that sending information our
>>> information to Turkey and Denmark. These machines are already isolated.
>>>
>>> Do you know a windows tool so that I can get : which application is using a
>>> specific destination protocol ?. I mean, WinMail.exe send to the internet
>>> pop3
>>> and smtp, now I need to know which application is sending https traffic to
>>> Internet from these machines,
>>>
>>> Thanks a lot,
>>>
>>> Warm regards
>

Joseph

Tech blog
http://secadmin.wordpress.com

Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 26 2010 - 19:31:10 ART