Full Disclosure mailing list archives
Re: anyone seen this worm/trojan before?
From: Joshua Levitsky <jlevitsk () joshie com>
Date: Thu, 3 Jun 2004 15:22:31 -0400
On Jun 3, 2004, at 1:54 PM, Perrymon, Josh L. wrote:
I found this worm/ trojan on a laptop. Ran FPort and found the .exe.Doesn't look like it propagates to other machines but rather communicateswith a compromisedweb companies server using IRC. The compromised server has removed the IRCservice. Only sends RST packets back. I put it on my site. http://www.packetfocus.com/analysis.htm I would like to know the attack vectors. I'm guessing LSASS.
It's a variant of W32.Spybot.Worm aparently. Symantec AntiVirus Defs as of 6/3/04 Rev 36 (just created) detect it.
ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/ norton_antivirus/rapidrelease/symcrapidreleasedefsi32.exe
-Josh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
- Re: anyone seen this worm/trojan before? Joshua Levitsky (Jun 03)
- Re: anyone seen this worm/trojan before? insecure (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
- RE: anyone seen this worm/trojan before? Jim Becher (Jun 04)
- Re: anyone seen this worm/trojan before? Axel Pettinger (Jun 03)
- <Possible follow-ups>
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)