Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

xabot or sdbot or spybot...

From: "RandallM" <randallm () fidmail com>
Date: Fri, 4 Jun 2004 18:30:23 -0500
--__--__--


Message: 21
Date: Fri, 04 Jun 2004 00:08:23 +0200
From: Axel Pettinger <api () epost de>
Organization: API
To: "Perrymon, Josh L." <PerrymonJ () bek com>, full-disclosure () netsys com
Subject: Re: [Full-disclosure] anyone seen this worm/trojan  before?



"Perrymon, Josh L." wrote:


I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
Doesn't look like it propagates to other machines but rather communicates
with a compromised
web companies server using IRC. The compromised server has removed the

IRC

service. Only sends RST packets back.


<snip>

I would like to know the attack vectors. I'm guessing LSASS.



AntiVirus scanners identify our trojan as:



BitDefender : Backdoor.SDBot.Gen
Kaspersky   : Backdoor.Rbot.gen
McAfee      : W32/Sdbot.worm.gen.g 
Symantec    : W32.Spybot.Worm 
Trend Micro : WORM_SPYBOT.AP



From a quick look at the file I'd say the following is the best 
description of that trojan. There're several attack vectors ...



http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT

.AP&VSect=T


Regards,
Axel Pettinger




I'd like to throw something in here. While scanning with Spybot 1.3 it came
to a halt with an error. The error was an
"Xabot" error. After many attempts to figure this out I searched Xabot. This
lead to Symantics site 
http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html
and http://www.sophos.com/virusinfo/analyses/w32sdbotna.html where it is
associated with Sdbot. 

Well, for sure I am having a hell of a time finding it as all conventional
means have failed. 3 online scans. 3 scans in safe mode. Hijack This,
Swat-it, Bazooka and still Spybot is halted with the error. I uninstalled
Spybot three times. It seems I have a remnant somewhere.

thank you
Randall M
 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: