Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: anyone seen this worm/trojan before?

From: "Perrymon, Josh L." <PerrymonJ () bek com>
Date: Thu, 3 Jun 2004 14:45:11 -0500
I read the link below and noticed that this worm must be a variant because
the .exe is not the same and I don't notice and means of network scanning of
propagation.


JP

-----Original Message-----
From: Harlan Carvey [mailto:keydet89 () yahoo com]
Sent: Thursday, June 03, 2004 2:25 PM
To: full-disclosure () netsys com
Cc: Perrymon, Josh L.
Subject: Re: [Full-disclosure] anyone seen this worm/trojan before?


Josh, 

I tried to download the archive, and McAfee alerted me
to "W32/Sdbot.worm.gen.g".

From:
http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html

"W32/SdBot-CF spreads to other computers on the local
network protected by weak passwords."


I found this worm/ trojan on a laptop. Ran FPort and
found the .exe.


I checked out your web site...don't you think that the
information you found via fport would be useful to
others, such as the port, etc?


Doesn't look like it propagates to other machines
but rather communicates
with a compromised 
web companies server using IRC. The compromised
server has removed the IRC
service. Only sends RST packets back.

I put it on my site.

http://www.packetfocus.com/analysis.htm

I would like to know the attack vectors. I'm
guessing LSASS.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: