Full Disclosure mailing list archives
xabot or sdbot or spybot...
From: "RandallM" <randallm () fidmail com>
Date: Fri, 4 Jun 2004 18:30:23 -0500
--__--__--
Message: 21 Date: Fri, 04 Jun 2004 00:08:23 +0200 From: Axel Pettinger <api () epost de> Organization: API To: "Perrymon, Josh L." <PerrymonJ () bek com>, full-disclosure () netsys com Subject: Re: [Full-disclosure] anyone seen this worm/trojan before?
"Perrymon, Josh L." wrote:I found this worm/ trojan on a laptop. Ran FPort and found the .exe. Doesn't look like it propagates to other machines but rather communicates with a compromised web companies server using IRC. The compromised server has removed the
IRC
service. Only sends RST packets back.<snip>I would like to know the attack vectors. I'm guessing LSASS.
AntiVirus scanners identify our trojan as:
BitDefender : Backdoor.SDBot.Gen Kaspersky : Backdoor.Rbot.gen McAfee : W32/Sdbot.worm.gen.g Symantec : W32.Spybot.Worm Trend Micro : WORM_SPYBOT.AP
From a quick look at the file I'd say the following is the best description of that trojan. There're several attack vectors ...
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT
.AP&VSect=T
Regards, Axel Pettinger
I'd like to throw something in here. While scanning with Spybot 1.3 it came to a halt with an error. The error was an "Xabot" error. After many attempts to figure this out I searched Xabot. This lead to Symantics site http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html and http://www.sophos.com/virusinfo/analyses/w32sdbotna.html where it is associated with Sdbot. Well, for sure I am having a hell of a time finding it as all conventional means have failed. 3 online scans. 3 scans in safe mode. Hijack This, Swat-it, Bazooka and still Spybot is halted with the error. I uninstalled Spybot three times. It seems I have a remnant somewhere. thank you Randall M _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- xabot or sdbot or spybot... RandallM (Jun 04)