Security Incidents mailing list archives
Agobot variant - with multi-vulnerability scanner
From: "Lawrence Baldwin" <baldwinL () mynetwatchman com>
Date: Sat, 3 Apr 2004 16:37:22 -0500
Not sure if others have already seen this or not, but here you go: http://www.mynetwatchman.com/tools/sc/Agobot.htm Found on infected host this morning: "This variant has one of the more extensive multi-vulnerability scanning engines around: Scans for: tcp/80 - WebDAV tcp/135 - MS RPC tcp/139/445 - MS Networking tcp/1025 - MS RPC / locator??? tcp/2745 - Beagle worm backdoor tcp/3127 - MyDoom worm backdoor tcp/6129 - Dameware " This is the second case of 'hallowelt.exe' that I have seen in two days where the end user's system system was fully patched (Windows update on auto)...I haven't read up on all the variants but this is rather puzzling as I was under the impression that these only utilized network-based propagation....do we have some new vulnerability or something? We have also seen another even nastier version using the soundman.exe and soundconf.exe filenames that don't even show up in the process list, though their connection activity DOES....tcpview shows the source as "<non-existent process:###>"...if anyone has any suggestions on that one, I'd appreciate them. Lawrence Baldwin Chief Forensics Officer myNetWatchman.com Atlanta, GA +1.678.624.0924 --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Agobot variant - with multi-vulnerability scanner Lawrence Baldwin (Apr 05)
- Re: Agobot variant - with multi-vulnerability scanner Stephen Smoogen (Apr 05)
- RE: Agobot variant - with multi-vulnerability scanner James C Slora Jr (Apr 05)