new trojan - scanning for open shares ...

[Philippe Bourcier <philippe () CYBERABUSE ORG>]

Hi

We've seen on different IRC networks some strange botnets ("dmanz botnet
:>") all coming from a new trojan.

This trojan is really mysterious, since the only thing found is it's using
networks.vbs to scan for open shares, and save the list of IPs found.
Then I think the coder of the trojan (adman, who is using his static IP on
IRC) take those lists (with a special command given to the bots), but why he
does that is still mysterious (perhaps it has something to do with the
"Share Level Password" Vulnerability recently discovered).
The entire package couldn't be analysed, so we still don't know if there is
a DoS tool with it or not.
You can see a big list of trojaned machines at
www.documents.cyberabuse.org/?doc=11

Philippe Bourcier
-------------------------------------
www.documents.cyberabuse.org