Full Disclosure mailing list archives
Fw: Virus, whether the scanners say so or not?
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Mon, 1 Sep 2003 08:37:56 -0700
----- Original Message ----- From: "morning_wood" <se_cur_ity () hotmail com> To: "Scott Phelps / Dreamwright Studios" <scottp () dreamwright com> Sent: Monday, September 01, 2003 8:37 AM Subject: Re: [Full-disclosure] Virus, whether the scanners say so or not?
let us find some function and the fun strings in your wupdated.exe sample. YOU DONT NEED A AV TO TELL YOU THE FUNCTIONS OR THAT IT IS A TROJAN / WORM and the correct identification is sdbot5b, this is a trojan worm bot compiled from c sources with lcc. the servers connecting and controled are sm0k3.ath.cx - 27.0.0.1 fewl.ath.cx - 127.0.0.1 irc channels #keke0394l and #emohtob ( bothome backwards ) sdbot 0.5b with SYN flood by [sd] notes: --------- snip -------------- 0000ED7C 0042837C 0 sm0k3.ath.cx 0000EDA6 004283A6 0 fewl.ath.cx 0000EFAC 004285AC 0 SYNFlood 0000EFE4 004285E4 0 irc_connect 00010233 00429833 0 jamesbrown 00010523 00429B23 0 \IPC$ 0001052E 00429B2E 0 net use * "%s" "%s" /user:"%s" 0001058D 00429B8D 0 [SCANNING] Address: %s Port: 139 00010695 00429C95 0 lcc runtime: GP fault. Stack trace ------------- snip ----------- do some detecvtive work , did you even try to load it in notepad? the above was obtained via "bintext" by Foundstone viewing the binary. Donnie Werner http://e2-labs.com http://exploitlabs.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Virus, whether the scanners say so or not?, (continued)
- Re: Virus, whether the scanners say so or not? misiu_ (Sep 01)
- Re: Virus, whether the scanners say so or not? gregh (Sep 01)
- Random SoBig.F Thoughts Jason Coombs (Sep 01)
- Tracking a virus by logging infected machines Richard M. Smith (Sep 01)
- Re: Tracking a virus by logging infected machines Ralf (Sep 01)
- Re: Tracking a virus by logging infected machines Marcus Graf (Sep 02)
- Re: Tracking a virus by logging infected machines morning_wood (Sep 02)
- Re: Tracking a virus by logging infected machines Joel R. Helgeson (Sep 02)
- RE: Tracking a virus by logging infected machines Richard M. Smith (Sep 02)
- Tracking a virus by logging infected machines Richard M. Smith (Sep 01)