[Xantix]

Yea, but the symantec one is more interesting as it describes the backdoor a little bit more detailed:

Quote

# When running the backdoor, the backdoor listens on TCP port 1034 for incoming connections. When remote attackers connect, they can:

    * Download and execute files.
    * Get the Trojan's saved list of other infected IP addresses.
    * Stop the backdoor process.

What we need to find out now is the code it needs to get activated or the encrytped hash to crack it.
It doesnt even give a shell I think, it could look like a multiple choice window.

[twistedps]

I'm assuming a certain packet sequence has to be sent, im compiling some stuff together of the authentication sequence from what i can see so far... to be updated.

alright the string zincite i believe is just the filename of the log file used to store the hacked ip's that its found, still not sure how to retrieve...

hmm.. upon further investigtion i believe that the code i pasted above earlier is actually the process of the hacked ip its found being pushed to the log file...

update: I have port 1034 listening on various servers hopefully an infected machine will try and scan me and give me the information that i need to query the servers :)
I encourage anyone else to do the same... :)

[Evilman]

how can i do that ? (listening to port 1034 ?)

what software?

[eXist]

Evilman: the simplest way would be not to run a firewall, or if you have one, to turn off port blocking. Then when a machine tries to connect, using software, capture the packets sent. A packet sniffer would be the type of software to use here.

[twistedps]

as an update, i still have yet to recieve any packets on 1034, i think the mydoom.m virus is dying down..
http://www.dshield.o...t.php?port=1034