Security Incidents mailing list archives
RE: Agobot variant - with multi-vulnerability scanner
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Mon, 5 Apr 2004 11:57:44 -0400
Lawrence Baldwin wrote:
This is the second case of 'hallowelt.exe' that I have seen in two days where the end user's system system was fully patched (Windows update on auto)...I haven't read up on all the variants but this is rather puzzling as I was under the impression that these only utilized network-based propagation....do we have some new vulnerability or something?
Many Agobot variants also use automated password-guessing for guessed and enumerated accounts. This often gets Agobot onto fully patched systems that have NetBIOS and RPC ports exposed. That's part of why it is so nasty once it gets onto a LAN. Web vectors, trojan downloaders, and secondary infection on MyDoom and Bagle victim computers also can get it onto a fully patched system. So there is no patch against Agobot. It takes defense in depth to keep it out. --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Agobot variant - with multi-vulnerability scanner Lawrence Baldwin (Apr 05)
- Re: Agobot variant - with multi-vulnerability scanner Stephen Smoogen (Apr 05)
- RE: Agobot variant - with multi-vulnerability scanner James C Slora Jr (Apr 05)