Fw: Virus, whether the scanners say so or not?

["morning_wood" <se_cur_ity () hotmail com>]

----- Original Message ----- 
From: "morning_wood" <se_cur_ity () hotmail com>
To: "Scott Phelps / Dreamwright Studios" <scottp () dreamwright com>
Sent: Monday, September 01, 2003 8:37 AM
Subject: Re: [Full-disclosure] Virus, whether the scanners say so or not?


> let us find some function and the fun strings in your wupdated.exe sample.
> YOU DONT NEED A AV TO TELL YOU THE FUNCTIONS
> OR THAT IT IS A TROJAN / WORM
>
> and the correct identification is  sdbot5b, this is a trojan worm bot
> compiled from c sources with lcc.
>
> the servers connecting and controled are
> sm0k3.ath.cx - 27.0.0.1
> fewl.ath.cx - 127.0.0.1
>
> irc channels   #keke0394l and  #emohtob ( bothome backwards )
>
>
>  sdbot 0.5b with SYN flood by [sd]
>
> notes:
> --------- snip --------------
> 0000ED7C   0042837C      0   sm0k3.ath.cx
> 0000EDA6   004283A6      0   fewl.ath.cx
>
>
> 0000EFAC   004285AC      0   SYNFlood
> 0000EFE4   004285E4      0   irc_connect
> 00010233   00429833      0   jamesbrown
>
> 00010523   00429B23      0   \IPC$
> 0001052E   00429B2E      0   net use * "%s" "%s" /user:"%s"
> 0001058D   00429B8D      0   [SCANNING] Address: %s Port: 139
> 00010695   00429C95      0   lcc runtime: GP fault.       Stack trace
> ------------- snip -----------
>
> do some detecvtive work , did you even try to load it in notepad?
> the above was obtained via "bintext" by Foundstone viewing the binary.
>
> Donnie Werner
> http://e2-labs.com
> http://exploitlabs.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html