Full Disclosure mailing list archives
RE: Backdoor.Sdbot.N Question
From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>
Date: Tue, 9 Sep 2003 12:07:53 +1200
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of James Patterson Wicks Sent: Tuesday, 9 September 2003 8:18 a.m. To: full-disclosure () lists netsys com Subject: [Full-disclosure] Backdoor.Sdbot.N Question Anyone know how Backdoor.Sdbot.N spreads? This morning we had several users pop up with this trojan (or a new variant). These users generated a ton of traffic until their machines were unplugged from the network. There systems have all the markers for the Backdoor.Sdbot.N trojan (registry entries, etc), but was not picked up by the Norton virus scan. In fact, even it you perform a manual scan after the trojan was discovered, it is still not detected in the scan.
As far as I saw on couple of systems, usually it's downloaded by separate worm/tool/whatever. Mimail (which some companies detect as TrojanDropper.JS.Mimail.b), for example, will download and execute a file from a particular website. That file can (of course) be Backdoor.Sdbot. Also, I saw several instances of Backdoor.Coreflood trojan on some client machines. They got this trojan when users went to Web sites which had a VBScript which in turn is a dropper for the trojan. Those scripts usually use the vulnerability described in MS03-032.
I would also like to know if this is also an indicator of not having the patch for the Blaster worm.
Probably not - I suspect they went to some Web site which had dropper Vbscript on it. Regards, Bojan Zdrnja _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Backdoor.Sdbot.N Question James Patterson Wicks (Sep 08)
- RE: Backdoor.Sdbot.N Question Bojan Zdrnja (Sep 08)
- Re: Backdoor.Sdbot.N Question Nick FitzGerald (Sep 08)
- <Possible follow-ups>
- RE: Backdoor.Sdbot.N Question James Patterson Wicks (Sep 08)
- RE: Backdoor.Sdbot.N Question Jade E. Deane (Sep 08)
- Re: Backdoor.Sdbot.N Question cseagle (Sep 09)
- RE: Backdoor.Sdbot.N Question Nick Jacobsen (Sep 08)
- RE: Backdoor.Sdbot.N Question James Patterson Wicks (Sep 09)