Educause Security Discussion mailing list archives

Re: New Virus/Trojan/...?

From: Justin Azoff <JAzoff () UAMAIL ALBANY EDU>
Date: Thu, 7 Oct 2004 09:22:33 -0400

On Thu, 2004-10-07 at 09:05, Jason Brooks wrote:

Wayne,
        Was the tftp server running from the Quicktimee.exe process or
another one?

Thanks,
Jason

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne J. Hauber
Sent: Wednesday, October 06, 2004 11:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] New Virus/Trojan/...?

At 09:13 AM 10/6/2004, Jason Brooks wrote:

We submitted the executable Quicktimee.exe that was doing the port 445

scans

to McAfee yesterday morning.  They responded yesterday afternoon

classifying

it as W32/SDBot.worm.  They also issued us an EXTRA.DAT which will be

cycled

into production DATs soon.

Thanks for the suggestions,
Jason Brooks


I submitted a copy as well. The system I examined also had an ftp server on
port 31907 "220 StnyFtpd 0wns j0", running tfpd


It's not tftp, its just ftp. if you manage to download the file and scan
it, you will find that it is indeed sdbot or similar.

--
-- Justin Azoff
-- Network Performance Analyst

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

New Virus/Trojan/...? Jason Brooks (Oct 04)
- <Possible follow-ups>
- Re: New Virus/Trojan/...? James Riden (Oct 04)
- Re: New Virus/Trojan/...? Scott Weeks (Oct 04)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 06)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 06)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 07)
- Re: New Virus/Trojan/...? Justin Azoff (Oct 07)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 07)