Full Disclosure mailing list archives

Re: anyone seen this worm/trojan before?

From: Joshua Levitsky <jlevitsk () joshie com>
Date: Thu, 3 Jun 2004 15:22:31 -0400


On Jun 3, 2004, at 1:54 PM, Perrymon, Josh L. wrote:

I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
Doesn't look like it propagates to other machines but rathercommunicates
with a compromised
web companies server using IRC. The compromised server has removed theIRC
service. Only sends RST packets back.

I put it on my site.

http://www.packetfocus.com/analysis.htm

I would like to know the attack vectors. I'm guessing LSASS.

It's a variant of W32.Spybot.Worm aparently. Symantec AntiVirus Defs asof 6/3/04 Rev 36 (just created) detect it.

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/symcrapidreleasedefsi32.exe



-Josh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
- Re: anyone seen this worm/trojan before? Joshua Levitsky (Jun 03)
- Re: anyone seen this worm/trojan before? insecure (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
  - RE: anyone seen this worm/trojan before? Jim Becher (Jun 04)
- Re: anyone seen this worm/trojan before? Axel Pettinger (Jun 03)
- <Possible follow-ups>
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)