Full Disclosure mailing list archives
Re: Spybot and SQL
From: "Geza Papp dr (Axelero)" <papp_geza1 () axelero hu>
Date: Fri, 11 Feb 2005 16:49:04 +0100
Hello mjcarter, 2005. február 11., 4:33:26, írtad: micn> Hi All, micn> Has anyone seen a spybot variant using the target machines micn> IP address as the password for user SA? micn> We don't have a name for this variant yet. I might be micn> reading my captures wrong but that's what this looks like micn> it's doing . This is a new SQL Spybot, but this dropped not dropped off payloads named winlog.exe and soundblaster.exe - this dropped wm1exe.exe. W32/Rbot-VT is a network worm with backdoor functionality for the Windows platform. The worm copies itself to a file named wm1exe.exe in the Windows system folder and creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ WINDOWS MANAGEMENT SYSTEM wm1exe.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ WINDOWS MANAGEMENT SYSTEM wm1exe.exe W32/Rbot-VT spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-VT can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-VT can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) steal product registration information from certain software Patches for the operating system vulnerabilities exploited by W32/Rbot-VT can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx from Sophos Plc. 10 February 2005 22:24:31 (GMT) -- Üdvözlettel, Geza mailto:papp_geza1 () axelero hu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Spybot and SQL mjcarter (Feb 10)
- Re: Spybot and SQL Geza Papp dr (Axelero) (Feb 11)
- <Possible follow-ups>
- Re: Spybot and SQL Matthew Farrenkopf (Feb 10)
- Re: [SPAM] Re: Spybot and SQL Jacek Barcikowski (Feb 11)
- Re[2]: Spybot and SQL Geza Papp dr (Axelero) (Feb 11)
- New wired from Panda alets - MyDoom-AK Geza Papp dr (Axelero) (Feb 11)