Re: [Full-Disclosure] anyone seen this worm/trojan before?

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 06/03/04

  • Next message: Perrymon, Josh L.: "RE: [Full-Disclosure] anyone seen this worm/trojan before?"
    To: full-disclosure@netsys.com
    Date: Thu, 3 Jun 2004 12:24:36 -0700 (PDT)
    
    

    Josh,

    I tried to download the archive, and McAfee alerted me
    to "W32/Sdbot.worm.gen.g".

    From:
    http://www.sophos.com/virusinfo/analyses/w32sdbotcf.html

    "W32/SdBot-CF spreads to other computers on the local
    network protected by weak passwords."

    > I found this worm/ trojan on a laptop. Ran FPort and
    > found the .exe.

    I checked out your web site...don't you think that the
    information you found via fport would be useful to
    others, such as the port, etc?

    > Doesn't look like it propagates to other machines
    > but rather communicates
    > with a compromised
    > web companies server using IRC. The compromised
    > server has removed the IRC
    > service. Only sends RST packets back.
    >
    > I put it on my site.
    >
    > http://www.packetfocus.com/analysis.htm
    >
    > I would like to know the attack vectors. I'm
    > guessing LSASS.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Perrymon, Josh L.: "RE: [Full-Disclosure] anyone seen this worm/trojan before?"

    Relevant Pages