Full Disclosure mailing list archives
RE: anyone seen this worm/trojan before?
From: "Perrymon, Josh L." <PerrymonJ () bek com>
Date: Thu, 3 Jun 2004 14:40:45 -0500
I was guessing about LSASS because that was the only patch not on the box that was infected. The user also had a pass with a couple #'s in it so I didn't think it would be found in a password list. After watching it in a while I *Never saw it try to propagate to another machine. That's what was weird. So how would be get it the first time? I had to infect him some way... But there where no other traces of it on the network... If I have some time I'll post the FPort data and some clean packet captures. JP -----Original Message----- From: insecure [mailto:insecure () ameritech net] Sent: Thursday, June 03, 2004 2:27 PM To: Perrymon, Josh L. Cc: full-disclosure () netsys com Subject: Re: [Full-disclosure] anyone seen this worm/trojan before? Perrymon, Josh L. wrote:
I found this worm/ trojan on a laptop. Ran FPort and found the .exe. Doesn't look like it propagates to other machines but rather communicates with a compromised web companies server using IRC. The compromised server has removed the IRC service. Only sends RST packets back. I put it on my site. http://www.packetfocus.com/analysis.htm I would like to know the attack vectors. I'm guessing LSASS. Joshua Perrymon PGP Fingerprint 51B8 01AC E58B 9BFE D57D 8EF6 C0B2 DECF EC20 6021
McAfee VirusScan 7.1 with 4364 DAT detects it as W32/Sdbot.worm.gen.g. Other than that, they have no information besides that they first noticed it on 5/26/2004. It may spread through lsass, but this type of worm is usually limited to spreading through network shares with weak password protection. Jerry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
- Re: anyone seen this worm/trojan before? Joshua Levitsky (Jun 03)
- Re: anyone seen this worm/trojan before? insecure (Jun 03)
- Re: anyone seen this worm/trojan before? Harlan Carvey (Jun 03)
- RE: anyone seen this worm/trojan before? Jim Becher (Jun 04)
- Re: anyone seen this worm/trojan before? Axel Pettinger (Jun 03)
- <Possible follow-ups>
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)
- RE: anyone seen this worm/trojan before? Perrymon, Josh L. (Jun 03)