Full Disclosure mailing list archives

Re: Backdoor.Sdbot.N Question

From: cseagle <cseagle () redshift com>
Date: Mon, 08 Sep 2003 23:57:24 -0700

It sounds like the agobot3 ircbot/backdoor that appeared a few weeks agoon a couple of college campuses. The version I have seen installsitself as svchosl.exe and winhl32.exe. The only online writeup I canfind is here and matches what I have in the lab:


http://www.trendmicro.com.cn/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.P&VSect=T

Chris

James Patterson Wicks wrote:

Update:  Looked at the firewall and saw that some systems were trying to contact outside systems on ports 135 and 445.  It looks 
and acts like "W32.HLLW.Gaobot.AA", but it would have to be some sort of variant due to the change in the file names.  
Whatdoyathink?

-----Original Message-----

From: James Patterson WicksSent: Monday, September 08, 2003 4:18 PM

To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Backdoor.Sdbot.N Question

Anyone know how Backdoor.Sdbot.N spreads?  This morning we had several users pop up with this trojan (or a new 
variant).  These users generated a ton of traffic until their machines were unplugged from the network.  There systems 
have all the markers for the Backdoor.Sdbot.N trojan (registry entries, etc), but was not picked up by the Norton virus 
scan.  In fact, even it you perform a manual scan after the trojan was discovered, it is still not detected in the scan.

I would also like to know if this is also an indicator of not having the patch for the Blaster worm.

This e-mail is the property of Oxygen Media, LLC.  It is intended only for the person or entity to which it is 
addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. 
Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient 
is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to 
postmaster () oxygen com and destroy all electronic and paper copies of this e-mail.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Backdoor.Sdbot.N Question James Patterson Wicks (Sep 08)
- RE: Backdoor.Sdbot.N Question Bojan Zdrnja (Sep 08)
- Re: Backdoor.Sdbot.N Question Nick FitzGerald (Sep 08)
- <Possible follow-ups>
- RE: Backdoor.Sdbot.N Question James Patterson Wicks (Sep 08)
  - RE: Backdoor.Sdbot.N Question Jade E. Deane (Sep 08)
  - Re: Backdoor.Sdbot.N Question cseagle (Sep 09)
- RE: Backdoor.Sdbot.N Question Nick Jacobsen (Sep 08)
- RE: Backdoor.Sdbot.N Question James Patterson Wicks (Sep 09)