Discussion:
(no subject)
(too old to reply)
andy mueller
2005-06-03 13:16:44 UTC
Permalink
HI people I have had "wintcpmod" as well so I submitted it to norton
antivirus and they came back to me with this:



We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: C:\WINDOWS\system32\wintcpmod.exe
machine: ALIEN
result: This file is infected with Backdoor.Trojan

Developer notes:
C:\WINDOWS\system32\wintcpmod.exe is non-repairable threat. NAV with
the latest rapidrelease definition detects this. Please delete this
file and replace it if neccessary. Please follow the instruction at the
end of this email message to install the latest rapidrelease
definitions.



Symantec Security Response has determined that the sample(s) that you
provided are infected with a virus, worm, or Trojan. We have created
RapidRelease definitions that will detect this threat. Please follow the
instruction at the end of this email message to download and install
the latest RapidRelease definitions.
Downloading and Installing RapidRelease Definition Instructions:
1. Open your Web browser. If you are using a dial-up connection, connect
to any Web site, such as: http://securityresponse.symantec.com/
2. Click this link to the ftp site:
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/symrapidreleasedefsi32.exe.
If it does not go to the site (this could take a minute or so if you
have a slow connection), copy and paste the address into the address bar
of your Web browser and then press Enter.
3. When a download dialog box appears, save the file to the Windows
desktop.
4. Double-click the downloaded file and follow the prompts.
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation

Should you have any questions about your submission, please contact
our regional technical support from the Symantec website
(http://www.symantec.com/techsupp/)
and give them the tracking number in the subject of this message.

_________________________________________________________________
Winks & nudges are here - download MSN Messenger 7.0 today!
http://messenger.msn.co.uk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Todd Towles
2005-06-03 14:41:35 UTC
Permalink
This could be another bot running on the same filename, but here is
something I found on google

Norton Antivirus 2004(vir def may-2005) report wintcpmod.exe is infected
with W32.DSS.Trojan. The file was deleted and WinXP Sp2 work without
problems.

http://www.what-process.com/process-info.aspx?p=wintcpmod.exe.exe
-----Original Message-----
Of andy mueller
Sent: Friday, June 03, 2005 8:17 AM
Subject: [Full-disclosure] (no subject)
HI people I have had "wintcpmod" as well so I submitted it
We have analyzed your submission. The following is a report of our
filename: C:\WINDOWS\system32\wintcpmod.exe
machine: ALIEN
result: This file is infected with Backdoor.Trojan
C:\WINDOWS\system32\wintcpmod.exe is non-repairable threat. NAV with
the latest rapidrelease definition detects this. Please delete this
file and replace it if neccessary. Please follow the
instruction at the
end of this email message to install the latest rapidrelease
definitions.
Symantec Security Response has determined that the sample(s) that you
provided are infected with a virus, worm, or Trojan. We have created
RapidRelease definitions that will detect this threat. Please
follow the
instruction at the end of this email message to download and install
the latest RapidRelease definitions.
1. Open your Web browser. If you are using a dial-up
connection, connect
to any Web site, such as: http://securityresponse.symantec.com/
ftp://ftp.symantec.com/public/english_us_canada/antivirus_defi
nitions/norton_antivirus/rapidrelease/symrapidreleasedefsi32.exe.
If it does not go to the site (this could take a minute or so if you
have a slow connection), copy and paste the address into the
address bar
of your Web browser and then press Enter.
3. When a download dialog box appears, save the file to the Windows
desktop.
4. Double-click the downloaded file and follow the prompts.
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation
Should you have any questions about your submission, please contact
our regional technical support from the Symantec website
(http://www.symantec.com/techsupp/)
and give them the tracking number in the subject of this message.
_________________________________________________________________
Winks & nudges are here - download MSN Messenger 7.0 today!
http://messenger.msn.co.uk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Andrew R. Reiter
2005-06-03 16:57:02 UTC
Permalink
Have you pushed it through Normon Sandbox?

On Fri, 3 Jun 2005, Todd Towles wrote:

:This could be another bot running on the same filename, but here is
:something I found on google
:
:Norton Antivirus 2004(vir def may-2005) report wintcpmod.exe is infected
:with W32.DSS.Trojan. The file was deleted and WinXP Sp2 work without
:problems.
:
: http://www.what-process.com/process-info.aspx?p=wintcpmod.exe.exe
:
:> -----Original Message-----
:> From: full-disclosure-***@lists.grok.org.uk
:> [mailto:full-disclosure-***@lists.grok.org.uk] On Behalf
:> Of andy mueller
:> Sent: Friday, June 03, 2005 8:17 AM
:> To: full-***@lists.grok.org.uk
:> Subject: [Full-disclosure] (no subject)
:>
:>
:>
:> HI people I have had "wintcpmod" as well so I submitted it
:> to norton antivirus and they came back to me with this:
:>
:>
:>
:> We have analyzed your submission. The following is a report of our
:> findings for each file you have submitted:
:>
:> filename: C:\WINDOWS\system32\wintcpmod.exe
:> machine: ALIEN
:> result: This file is infected with Backdoor.Trojan
:>
:> Developer notes:
:> C:\WINDOWS\system32\wintcpmod.exe is non-repairable threat. NAV with
:> the latest rapidrelease definition detects this. Please delete this
:> file and replace it if neccessary. Please follow the
:> instruction at the
:> end of this email message to install the latest rapidrelease
:> definitions.
:>
:>
:>
:> Symantec Security Response has determined that the sample(s) that you
:> provided are infected with a virus, worm, or Trojan. We have created
:> RapidRelease definitions that will detect this threat. Please
:> follow the
:> instruction at the end of this email message to download and install
:> the latest RapidRelease definitions.
:> Downloading and Installing RapidRelease Definition Instructions:
:> 1. Open your Web browser. If you are using a dial-up
:> connection, connect
:> to any Web site, such as: http://securityresponse.symantec.com/
:> 2. Click this link to the ftp site:
:> ftp://ftp.symantec.com/public/english_us_canada/antivirus_defi
:> nitions/norton_antivirus/rapidrelease/symrapidreleasedefsi32.exe.
:> If it does not go to the site (this could take a minute or so if you
:> have a slow connection), copy and paste the address into the
:> address bar
:> of your Web browser and then press Enter.
:> 3. When a download dialog box appears, save the file to the Windows
:> desktop.
:> 4. Double-click the downloaded file and follow the prompts.
:> ----------------------------------------------------------------------
:> This message was generated by Symantec Security Response automation
:>
:> Should you have any questions about your submission, please contact
:> our regional technical support from the Symantec website
:> (http://www.symantec.com/techsupp/)
:> and give them the tracking number in the subject of this message.
:>
:> _________________________________________________________________
:> Winks & nudges are here - download MSN Messenger 7.0 today!
:> http://messenger.msn.co.uk
:>
:> _______________________________________________
:> Full-Disclosure - We believe in it.
:> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
:> Hosted and sponsored by Secunia - http://secunia.com/
:>
:_______________________________________________
:Full-Disclosure - We believe in it.
:Charter: http://lists.grok.org.uk/full-disclosure-charter.html
:Hosted and sponsored by Secunia - http://secunia.com/
:
:

--
Andrew R. Reiter
***@watson.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...